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Members of the Legislative Audit Committee: 


Included herein is the Statewide Financial Audit Report of the State of 
Colorado for the Fiscal Year Ended June 30, 2020. The audit was conducted 
under the authority of Section 2-3-103, C.R.S., which authorizes the State 
Auditor to conduct audits of all state departments, institutions, and agencies. 
The purpose of this report is to present the results of the Statewide Financial 
Audit for the Fiscal Year Ended June 30, 2020. 


Historically, we have presented the results of our annual financial audit within 
the Statewide Single Audit report in a single volume. For Fiscal Year 2020, we 


are providing this information in two separate reports, as noted below. 


Volume I - The Statewide Financial Audit Report contains financial reporting 
information based on our audit of the State’s Comprehensive Annual Financial 
Report for the Fiscal Year Ended June 30, 2020 (Annual Report). This report 
includes our Independent Auditor’s Report on Internal Control Over Financial 
Reporting and on Compliance and Other Matters Based on an Audit of 
Financial Statements Performed in Accordance with Government Auditing 
Standards. This report also contains our financial findings, conclusions, and 
recommendations, and the responses of the respective state departments, 
institutions, and agencies. Our opinions on the State's financial statements are 
presented in the State's Annual Report, which is available under separate 
cover. We have disclaimed opinions on the Unemployment Insurance and 
Business-type Activities due to not being able to obtain sufficient, appropriate 
audit evidence for balances in these funds. 


DIANNE E. RAY, CPA 


STATE AUDITOR 


OFFICE OF THE STATE AUDITOR 
1525 SHERMAN STREET 
7TH FLOOR 
DENVER, COLORADO 
80203 


303.869.2800 


Unmodified opinions were issued on the Governmental Activities, other major funds, and 


aggregate remaining fund information. 


Volume II - The Statewide Single Audit Report will present our Independent Auditor’s 
Report on Compliance for Each Major Federal Program and on Internal Control Over 
Compliance Required by the Uniform Guidance, and our Report on the Schedule of 
Expenditures of Federal Awards Required by Uniform Guidance. In accordance with the 
federal Single Audit Act, this report will include additional findings and questioned costs 


related to federal awards that came to our attention through the Statewide Single Audit. 


Government Auditing Standards allow for information that is considered sensitive in 
nature, such as detailed information related to IT system security, to be omitted if the 
omission is disclosed because of the potential damage that could be caused by the misuse 
of this information. We consider the specific technical details of certain findings, and their 
related responses and auditor’s addenda to be sensitive in nature and not appropriate for 
public disclosure and have provided the details of these findings, responses, and auditor’s 
addenda to management in a separate, confidential memorandum. Findings with omitted 


information include a disclosure of this omission. 


This Report is intended solely for the use of management and the Legislative Audit 
Committee and should not be used for any other purpose. This restriction is not intended 
to limit distribution of the Report, which, upon release by the Legislative Audit Committee, 
is a matter of public record. 
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STATEWIDE FINANCIAL AUDIT, FISCAL YEAR ENDED JUNE 30, 2020 
FINANCIAL AUDIT 


We Set the Standard for Good Government 


STATE OF COLORADO 


FINANCIAL STATEMENT FINDINGS 


OVERVIEW 


The State’s financial statements covered $45.9 billion in total assets and 
$39.2 billion in total expenditures for Fiscal Year 2020. 


We have issued a disclaimer of opinion on the Unemployment Insurance Fund 
and Business Type Activities of the State of Colorado for the fiscal year ended 
June 30, 2020. A disclaimer of opinion is issued when the auditor is 
unable to obtain sufficient appropriate audit evidence on which to base 
the opinion, and the auditor concludes that the possible effects on the 
financial statements of undetected misstatements, if any, could be both 
material and pervasive. 


This report presents our financial 
audit of the State of Colorado for 
Fiscal Year 2020. The Statewide 
Single Audit Report will be 
released under separate cover in 
June 2021 and will include all 
findings and questioned costs 
related to federal awards, in 
accordance with the federal 


The State of Colorado did not have an adequate methodology to Single Audit Act. 
substantiate the estimated amount of receivables and payables within the 
Unemployment Insurance Fund of $510 million and $872 million, These reports may not include all 


respectively, as of June 30, 2020. The receivable balance includes 
potential overpayments and comprises 54% of total assets of the 
Unemployment Insurance Fund, and 3% of Business-Type Activities. 
The payable balance includes potential claims outstanding at year-end 
and comprises 92% of total liabilities of the Unemployment Insurance 


financial- and compliance-related 
findings and recommendations 
from separately issued reports on 
audits of state departments, 
institutions, and agencies. 

Fund and 7% of the Business-Type Activities. 

In this report, we made 75 
recommendations state 
departments higher 
education institutions resulting 


= We have issued unmodified, or “clean” opinions on the financial statements 
of the State’s governmental activities, each major fund except the 
Unemployment Insurance Fund, aggregate discretely presented component 
units, and aggregate remaining fund information for the Fiscal Year Ended 
June 30, 2020. This means that these financial statements are presented fairly, 


to 
and 


from our financial audit. 


in all material respects, and that the financial position, results of all financial 
operations, and cash flows are in conformance with generally accepted 
accounting principles. The general fund is one of the major funds and also 
included in the governmental activities. 


= We identified 75 internal control weaknesses over financial reporting, 
including 27 material weaknesses and 48 significant deficiencies at 13 state 
departments and higher education institutions. 


AUTHORITY, PURPOSE, AND SCOPE 


This audit was conducted under the authority of Section 2-3-103, C.R.S., which authorizes the State Auditor to conduct 
audits of all departments, institutions, and agencies of state government. The audit was conducted in accordance with 
auditing standards generally accepted in the United States of America and with Government Auditing Standards issued 
by the Comptroller General of the United States. We performed our audit work during the period of March 2020 through 
March 2021. The purpose of this audit was to: 

=" Express an opinion on the State’s financial statements for the Fiscal Year Ended June 30, 2020. 

= Review internal accounting and administrative control procedures, as required by generally accepted auditing 

standards and Government Auditing Standards. 


« Evaluate compliance with applicable state and federal laws, rules, and regulations. 


« Evaluate progress in implementing prior audit recommendations. 


© 
> 


YUOLIGAV/AOD OAGVUOTOD MAMA - 0087'698'E0E UO.LIGNV ALV.LS AHL AO JOIAO AHL LOVLNOO ‘LAOdJTA SIH.L LAOTV NOLLVWUYOANI YJH.LANA AOA 


INTERNAL CONTROLS OVER FINANCIAL 
ACTIVITY AND FINANCIAL REPORTING 


State departments are responsible for reporting financial activity accurately, 


completely, and in a timely manner; and for having adequate internal controls in 


place to ensure compliance with laws and regulations, and with management’s 


objectives. Some of the areas where we identified a need for improvement 


included the following, by state department: 


DEPARTMENT OF LABOR AND EMPLOYMENT. 


> Unemployment Insurance (UI) Financial Reporting. The Department had 
not adjudicated all claims for UI benefits that were paid during Fiscal Year 
2020, and therefore could not estimate the amount of payments that had 
been made due to error or fraud. In addition, the Department did not have 
an adequate methodology for calculating and recording the estimated 
amount of receivables and payables for UI payments, which resulted in 
unverifiable adjustments of $2.1 billion in the Unemployment Insurance 
Fund. Classification: MATERIAL WEAKNESS. 


> Internal Controls Over Financial Reporting. The Department posted 142 
entries totaling $944.3 million up to 44 days late and an additional three 
adjustments totaling $2.1 billion, detailed in the previous bullet, in February 
2021. The Department also submitted six of 10 exhibits after the OSC 
deadline and had errors and omissions on two of the exhibits that included 
a $20.9 million understatement of cash and an approximately $1.4 billion 
omission of expenditures for reporting on the State’s Schedule of Federal 
Assistance. Classification: MATERIAL WEAKNESS. 


DEPARTMENT OF PERSONNEL & ADMINISTRATION’S OFFICE OF THE STATE 
CONTROLLER (OSC). Internal Controls Over Financial Reporting. The OSC had 
numerous errors in financial reporting, including the failure to separately report 
activity within the Highway Users Tax Fund and errors within 7 of 22 
(32 percent) note disclosures. Classification: MATERIAL WEAKNESS. 


DEPARTMENT OF HEALTH CARE POLICY AND FINANCING. Controls Over 
Capital Assets. The Department did not properly capitalize software 
enhancements, amounting to $64.3 million for Fiscal Years 2017 through 
2020. Classification: MATERIAL WEAKNESS. 


DEPARTMENT OF EDUCATION. School Finance Administration. Over $1 million 
in expenditures tested, including salaries, that were recorded to the Department’s 
appropriation for Public School Finance Act administration did not appear to 
be related to the administration of the Act. Classification: SIGNIFICANT 
DEFICIENCY. 


DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT. Accounting 
Controls. The Department posted $52.8 million in year-end adjustments 
after the deadlines. Classification: SIGNIFICANT DEFICIENCY. 


Professional standards define the 
following three levels of financial- 
related internal control weaknesses. 
Prior to each recommendation in 
this report, we have indicated the 
classification of the finding. 


A MATERIAL WEAKNESS is the most 
serious level of internal control 
weakness. A material weakness is a 
deficiency, or combination of 
deficiencies, such that there is a 
that a 


material misstatement of the entity’s 


reasonable possibility 
financial statements will not be 
detected and 
corrected, on a timely basis. 


prevented, or 


A SIGNIFICANT DEFICIENCY is a 
moderate level of internal control 
weakness. A significant deficiency is 
a deficiency, or combination of 
deficiencies, in internal control that 
is less severe than a material 
weakness, yet important enough to 
merit attention by those charged 


A DEFICIENCY IN INTERNAL 
CONTROL is the least serious level of 
internal control weakness. A 
deficiency in internal control exists 
when the design or operation of a 
control does not allow management 
or employees, in the normal course 
their 


functions, to prevent, or detect and 


of performing assigned 
correct, misstatements on a timely 


basis. Deficiencies in internal 
control generally are reported to 
agencies in separate management 
letters and, therefore, would not be 


included in this report. 


= METROPOLITAN STATE UNIVERSITY OF DENVER. Incorrect Recording of 
Asset and Liability Transfer. The University improperly recorded an asset 
transfer by approximately $8.3 million and an interest rate swap by 
approximately $11.5 million. Classification: MATERIAL WEAKNESS. 


= ADAMS STATE UNIVERSITY. Accounting Reconciliation and Reporting 
Controls. The University’s financial information was not accurate and 
properly reconciled, which resulted in approximately $45.0 million in 
corrections after these issues were identified in our audit. Classification: 
SIGNIFICANT DEFICIENCY. 


INTERNAL CONTROLS OVER INFORMATION 
TECHNOLOGY SYSTEMS 


State departments, often in cooperation with the Governor’s Office of 
Information Technology (OIT), are responsible for implementing, operating, 
maintaining, and adequately securing the State’s computer systems. During our 
Fiscal Year 2020 audit, we determined that some state departments’ and OIT’s 
internal controls did not comply with IT and information security related 
standards and/or the Colorado Information Security Policies (Security Policies) 
and OIT Cyber Policies. Issues were identified at the following departments and 
agencies (and related systems): 


= OFFICE OF THE GOVERNOR (OIT). 


> GenTax and Drivers’ License, Record, Identification, and Vehicle Enterprise 
Solution (DRIVES) Policy Compliance. Classification: MATERIAL 
WEAKNESS. 


> GenTax and DRIVES Information Security. Classification: SIGNIFICANT 
DEFICIENCY. 


> GenTax Information Security. Classification: SIGNIFICANT DEFICIENCIES. 
> Pandemic Unemployment Assistance System (PUA) Change Management. 
Classification: SIGNIFICANT DEFICIENCY. 


= DEPARTMENT OF PERSONNEL & ADMINISTRATION’S OFFICE OF THE STATE 
CONTROLLER (OSC). CORE Information Security. Classification: MATERIAL 
WEAKNESS. 


= DEPARTMENT OF HEALTH CARE POLICY AND FINANCING. 


> Business Intelligence and Data Management System (BIDM) SOC Reports. 
Classification: MATERIAL WEAKNESS. 


> Colorado interChange SOC Reports. Classification: SIGNIFICANT 
DEFICIENCY. 
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Our opinion on the financial 
statements is presented in the State’s 
Comprehensive Annual Financial 
Report for Fiscal Year 2020, which 
is available electronically from the 
Office of the State Controller’s 
website at: 


HTTPS://WWW.COLORADO.GOV/ 
PACIFIC/OSC/CAFR 


UNIVERSITY OF COLORADO. 


> PeopleSoft Vendor Management and Data Center Physical Security. 
Classification: SIGNIFICANT DEFICIENCY. 


> PeopleSoft Information Security. Classification: SIGNIFICANT DEFICIENCY. 
> PeopleSoft Change Management. Classification: SIGNIFICANT DEFICIENCY. 


DEPARTMENT OF HUMAN SERVICES. Colorado Personnel Payroll System— 
Information Security. Classification: SIGNIFICANT DEFICIENCY. 


DEPARTMENT OF LOCAL AFFAIRS. CORE Information Security. Classification: 
SIGNIFICANT DEFICIENCY. 


CLASSIFICATION OF FINANCIAL FINDINGS 
STATE OF COLORADO STATEWIDE FINANCIAL AUDIT 
FISCAL YEAR ENDED JUNE 30, 2020 


SIGNIFICANT 
DEFICIENCY | GRAND 
(Moderately | TOTALS 


Serious) 


MATERIAL 
WEAKNESS 
(Most Serious) 


ADAMS STATE 
UNIVERSITY 
EDUCATION 

OFFICE OF THE 
GOVERNOR 

HEALTH CARE 
POLICY AND 
FINANCING 

HUMAN SERVICES 
LABOR AND 
EMPLOYMENT 
LEGISLATIVE 

LOCAL AFFAIRS 
METROPOLITAN 
STATE UNIVERSITY OF 
DENVER 
ADMINISTRATION 

PUBLIC HEALTH AND — 
ENVIRONMENT 


UNIVERSITY OF 
COLORADO 


COLORADO - 2 
UNIVERSITY 


Note: There were no findings classified as a DEFICIENCY IN INTERNAL CONTROL, the least serious deficiency level, 
included in this report. 
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DEPARTMENT OF 
EDUCATION 


Article IX of the Colorado Constitution places responsibility for the 
general supervision of the State’s public schools with the Colorado State 
Board of Education (Board). The Board appoints the Commissioner of 
Education to oversee the Department of Education (Department), 
which serves as the administrative arm of the Board by providing 
assistance to 178 local school districts, which comprised 1,888 schools 
during Fiscal Year 2020. The Department also provides structural and 
administrative support to the Colorado School for the Deaf and Blind, 
as well as the Charter School Institute, which operate as independent 


agencies under the umbrella of the Department. 


For Fiscal Year 2020, the Department was appropriated approximately 
$6.7 billion and 616 full-time equivalent (FTE) staff. 


The following charts show the appropriations by funding source and 
FTE staff by major areas, respectively, within the Department for Fiscal 
Year 2020. 


DEPARTMENT OF EDUCATION 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 


FEDERAL FUNDS 
$1,128.9 CASH FUNDS 


$1,128.9 


REAPPROPRIATED 
FUNDS 
$42.6 


GENERAL FUNDS 
$4,413.8 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 
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DEPARTMENT OF EDUCATION 
FISCAL YEAR 2020 FULL-TIME EQUIVALENT STAFF 
BY MAJOR AREAS 
MANAGEMENT AND 
LIBRARY ADMINISTRATION 


PROGRAMS 166 
38 


SCHOOL FOR 
THE DEAF AND 
BLIND 
180 


ASSISTANCE TO 
PUBLIC 
SCHOOLS 
232 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


The following comments were prepared by the public accounting firm 
of BDO USA, LLP, which performed the Fiscal Year 2020 audit work 
at the Department under contract with the Office of the State Auditor. 


SCHOOL FINANCE 
ADMINISTRATION 


The Department is responsible for administering the Public School 
Finance Act (Act). The Act was established in 1994 under the authority 
of Article 54 of Title 22, C.R.S. Pursuant to the Act, the Department 
uses a specified formula to determine state and local funding amounts 
for Colorado’s school districts and charter schools authorized through 
the Department’s Charter School Institute (Institute). The Act contains 
a school finance formula that provides funding for every school district 
and Institute charter school; funding is based upon an annual pupil 
count as of the Pupil Enrollment Count Day, typically October 1. The 
formula provides base funding with additions for various factors, 


including cost of living and the size of the district. Additional funding 


is also provided based upon the number of at-risk students, generally 
those who are free-lunch eligible, enrolled in districts and Institute 
charter schools. Once the district’s Total Program funding is 
determined, it is divided by the funded pupil count to reach the per- 
pupil funding. The factors generate a different per-pupil funding 
allocation for each school district. 


Prior to Fiscal Year 2010, the Department’s administration of the Act 
was funded through general and cash funds. Beginning with Fiscal Year 
2010, the General Assembly changed the funding mechanism for the 
Department’s administration of the Act to the use of funds withheld 
from school districts’ funding under the Act, as well as some cash funds. 
The revised statutory language specifically allows the Department to 
offset its direct and indirect School Finance administrative costs by 
reducing each school district’s and each Institute-authorized charter 
school’s funding under the Act. This funding reduction is referred to as 
the rescission mechanism. For Fiscal Year 2020, the Department was 
appropriated $1.7 million in rescission funding for the Act, with an 
additional $335,000 in centralized appropriations. The Department 
expended about $2.1 million from the amounts rescinded in Fiscal Year 
2020. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to determine whether the 
Department had adequate internal controls over and complied with 
statutory requirements, Board rules, and Department procedures 
related to the rescission mechanism of the Act, and whether the 
Department ensured that amounts expended with rescission funds were 
appropriate and related to the administration of the Act. 


We obtained the detail of expenditures recorded to the rescission funds 
appropriation during Fiscal Year 2020. From this detail, we selected a 


sample of 17 transactions for testing. In addition, for 3 months of 
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payroll transactions, we obtained the listing of employees who had any 
portion of their salaries and benefits recorded to the rescission 
appropriation code. For these employees, we reviewed the individual’s 
title and the Department division in which the employee worked to 
determine the reasonableness of the individuals whose salaries and 


benefits were charged to the rescission appropriation. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of the audit procedures against the following: 


Section 22-54-114(2.3), C.R.S., states that the Act’s rescission 
appropriation should be used “to offset the direct and indirect 
administrative costs incurred by the department in implementing the 


provisions of this article.” 


The Colorado State Board of Education’s Rules for the 
Administration of the Public School Finance Act of 1994 [1 CCR 
301-39] (Rules) establishes regulations and procedures for the 
Department’s administration of the Act. The Rules address various 
Department administrative areas, including procedures for 
revocation or withholding of school district accreditation for Act 
violations; determination of district pupil membership and 
enrollment; as well as district at-risk funding and assignment of cost 
of living factors in the event of district reorganizations. In addition, 
rules and regulations establish audit requirements for district annual 
reports and Department audits of the school districts. 


Colorado Department of Education Personnel Action Form 
Procedures state that the Personnel Action Form requires four levels 
of approvals. The minimum approvals are from the Supervisor, 
Office or Unit Director, Executive Team Member, and Budget. In 
addition, the procedures state that the Human Resources Director’s 
signature is required to ensure that information contained on the 


Personnel Action Form complies with Department standards. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


We found that 8 of the 17 expenditures tested that were recorded to the 
rescission appropriation code did not appear to be related to the 
administration of the Act, as follows: 


The Department spent $1,328 for the purchase of a refrigerator for 
the fourth floor of the Department’s main building at 201 East 
Colfax. 


The Department spent $32,914 for the purchase of a water line and 
Americans with Disabilities Act-accessible water fountain for the 
Department’s main building. 


The Department spent $9,553 for panic buttons and security 


infrastructure at the Department’s main building. 


The Department charged two Preschool Special Education Team 
expenditures totaling $10,044 to the rescission appropriation. The 
Act is in Article 54 of Title 22, while the Preschool program is 
statutorily authorized under Article 28 of Title 22, which may fall 
outside of the statutory requirements for the rescission funding. 
Specifically, we identified the following: 


$1,210 in consulting services for the Department’s Preschool 
Office meeting planning and agenda process, along with a 
Preschool Team Director coaching activity were charged against 
the rescission funds. 


$8,834, or 35 percent, of the overall cost of its annual statewide 
meeting for the Preschool Special Education Team was charged 
against the rescission funds. 


The Department charged $2,426, or 36 percent, of the cost of its 
contract for the Department’s joint LEAN process consulting 
engagement. The Department indicated that the contract was 
entered into to improve consistency across all process steps related 
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to competitive grant applications, awards, programs, and fiscal 
years, and to improve the Department’s fiscal management. 
Although the Department’s fiscal management includes funding 
distributions to the school districts under the Act, it was unclear if 
this type of transaction falls within the statutory guidelines for the 


rescission funding. 


In addition, we identified Department staff positions whose salaries and 
benefits were either fully or partially funded by this appropriation code, 
but the division within the Department to which they were assigned did 
not appear to relate to the administration of the Act. Specifically, we 
identified the following: 


Eleven employees’ salaries, totaling approximately $963,000, and 
their related benefits were either fully or partially funded by the 
rescission appropriation, although the employees had other 
responsibilities for other Department programs that had separate 
funding sources. For example, 10 of the employees work in the P-3 
Office, a division that includes Preschool (Colorado Preschool 
Program and Preschool Special Education); Collaborative Projects; 
kindergarten through third grade literacy; and data and decision 
sciences. Because the Preschool program, as mentioned previously, 
is statutorily authorized through a separate Act, it is not clear 
whether it was appropriate for the Department to charge the 
expenditures against the rescission appropriation. In addition, we 
found that one of the employees returned to the Department after 
retirement, but the employee’s Personnel Action Form after rehire 
did not contain the required levels of approvals. 


WHY DID THESE PROBLEMS OCCUR? 


The Department has not evaluated the Act to define and document in 
policies and procedures the specific types of Department purchases that 
may be covered by the Act’s rescission funds, or trained Department 
staff on those policies and procedures. In addition, the Department has 
historically funded the positions identified to the rescission funding 


source, but has not evaluated whether continued funding of the 


positions fits within the statutory restrictions of the rescission. Finally, 
the Department did not adhere to its procedures to ensure that all 


required approvals were obtained on the Personnel Action Form. 
WHY DO THESE PROBLEMS MATTER? 


Using resources from the rescission appropriation for purposes other 
than administration of the Act could result in noncompliance with 
statutory requirements. In addition, the funds provided to the 
Department through the Act’s rescission mechanism reduce the amount 
that is distributed to the school districts and the Institute’s charter 
schools for Preschool through 12th grade education; therefore, it is 
especially important for the Department to ensure costs charged to the 
appropriation are appropriate and align with the statutory restrictions 
of the rescission funding. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-001 


The Department of Education (Department) should improve its internal 
controls over—and ensure its statutory compliance with—the recording 


of expenses to the Public School Finance Act (Act) rescission funds by: 


A Evaluating the Act to define and document in policies and 
procedures the specific types of Department purchases that may be 
covered by the Act’s rescission funds, then training Department 


employees on those policies and procedures. 


iss) 


Reviewing employee salary and benefit allocations to ensure that 
amounts recorded to the rescission appropriation support the 
administration of the Act. 
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C Ensuring that Personnel Action Forms for employees contain all 


required levels of approvals. 


RESPONSE 


DEPARTMENT OF EDUCATION 


AGREE. IMPLEMENTATION DATE: JUNE 2022. 


As outlined in the Joint Budget Committee FY 2021-22 Staff Figure 
Setting document, in FY 2008-09, the General Assembly created a line 
item for Public School Finance Administration for staff related to school 
finance, the Colorado Preschool Program, and audit-related functions. 
The 2008 school finance bill (H.B. 08-1388) added funding and FTE 
related to the Colorado Preschool Program. The funding source for this 
line item was changed to rescission funds starting in FY2009-10. The 
following year, the School Finance Bill (S.B. 09-215) included the 
statutory language cited above, that the rescission funds were to offset 
the direct and indirect administrative costs incurred by the Department 


in implementing the provisions of the School Finance Act. 


While the statutory language limited the use of the rescission funds to 
implementation of the School Finance Act, the General Assembly did 
not make any adjustments to this line item to move funding for the staff 
associated with the Colorado Preschool Program or staff implementing 
other funding streams or school district financial management and 
reporting. As such, the Department continued to charge these staff and 
the associated operating costs consistent with the historical practice. 
This was recognized by the JBC staff in the FY 2021-22 figure setting 
document: “...some of the positions fit within the original (JBC Staff) 
descriptions of the line item but do not necessarily appear to fit within 
the statutory description in Sec. 22-54-114 (2.3), C.R.S.” The staff 
document further states “...staff intends to work with the Department 
during the 2021 interim to assess potential statutory changes related to 


the use of funds appropriated to this line item.” 


The Department, in collaboration with the Joint Budget Committee 
staff, will review the staff and associated operating costs charged to the 
Public School Finance Administration line item to ensure that the use of 
funds are appropriate and accurately reflected in statute. Additionally, 
the Department will review, and revise as necessary, internal policies 
and procedures related to purchases and staff allocations. The 
Department will train staff on these policies and procedures and will 


ensure all Personnel Action Forms contain all required levels of review. 


I 
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OFFICE OF THE 
GOVERNOR 


The Office of the Governor (Office) is responsible for carrying out the 


directives of the Governor of the State of Colorado. In addition to the 


Governor’s Office, the Office also comprises: 


= Office of the Lieutenant Governor 


= Office of State Planning and Budgeting 


= Office of Economic Development and International Trade (OEDIT) 


= Office of Information Technology (OIT) 


For Fiscal Year 2020, the Office was appropriated approximately 


$426.0 million and 1,162 full-time equivalent (FTE) staff. 


The following charts show the appropriations by funding source and 


FTE staff by major areas, respectively, within the Office for Fiscal Year 


2020. 
OFFICE OF THE GOVERNOR 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 
FEDERAL FUNDS 
$6.8 
CASH FUNDS 
$51.6 
REAPPROPRIATED 
FUNDS 
$293.7 


GENERAL FUND 
$73.9 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 
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OFFICE OF THE GOVERNOR 
FISCAL YEAR 2020 FULL-TIME EQUIVALENT STAFF 
BY MAJOR AREAS 
OFFICE OF THE 
GOVERNOR 
60 OFFICE OF THE 


LIEUTENANT 


GOVERNOR 


7: 
OFFICE OF 


INFORMATION OFFICE OF STATE 
TECHNOLOGY PLANNING AND 
1,013 BUDGETING 
21 


OEDIT 
61 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


ACCOUNTING 
CONTROLS 


The Office’s accounting staff are responsible for all financial reporting, 
including accurate entry, review, and approval of financial transactions 
into the Colorado Operations Resource Engine (CORE), the State’s 
accounting system. This includes accounting for all of the Office’s 
divisions except for OIT, whose accounting function is performed by 
OIT employees. Office accounting staff are also responsible for 
reporting fiscal year-end accounting information for these same 
divisions through forms, or exhibits, to the Office of the State 
Controller (OSC) for inclusion in the State’s financial statements. The 
OSC collects information from state departments and institutions of 
higher education after each fiscal year-end through submitted exhibits 
to assist in its preparation of the State’s financial statements and 


required note disclosures. 


In addition, Office accounting staff responsibilities include recording 
accounting transactions for the OEDIT grants. OEDIT provides grants 
to Colorado public and private higher education institutions and other 
Colorado research institutions and companies operating in advanced 


industries, such as manufacturing, aerospace, bioscience, and 


electronics, to support job creation, innovation, and growth. OEDIT 
awards these grants throughout the year and the grants may last for 
multiple years. OEDIT advances a portion of the grant money to the 
grantee at the start of the grant; a grantee must return any unspent funds 
at the end of the grant award term. Annually, grantees must provide 
OEDIT staff with a report containing an update on grant expenditures, 
including how grantees spent the funds. OEDIT is responsible for using 
this report to ensure grant funds are only spent on allowable costs and 
to track the grant until its funds are exhausted, at which point OEDIT 
closes the grant. According to OEDIT staff, OEDIT had 228 open 
grants comprising a total of $37.6 million in grant awards as of June 
30, 2020, and had advanced $11.3 million of that amount to grantees. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to assess the adequacy and 
effectiveness of the Office’s internal controls over the preparation of 
OSC exhibits and the recording of accounting information into CORE 
for OEDIT-provided, advanced-industry grants. 


We reviewed the Office’s exhibits submitted to the OSC for Fiscal Year 
2020 and the related supporting documentation prepared by Office 
accounting staff. We determined whether Office staff prepared the 
exhibits in accordance with the OSC’s Fiscal Procedures Manual 
(Manual) and the related instructions. As part of reviewing the Exhibit 
M, we reviewed the Office’s fiscal year-end bank and CORE balances to 
determine if the balances and information recorded in CORE were 


accurate. 


We also reviewed six of the 228 grants that OEDIT had open during 
Fiscal Year 2020 to determine whether Office accounting staff recorded 


the advances and related expenditures accurately in CORE. 
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HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit against the following: 


State Fiscal Rule 1-2, Internal Controls, Rule 3.5, requires that state 
departments “implement internal accounting and administrative 
controls that reasonably ensure that financial transactions are 
accurate, reliable, conform to the Fiscal Rules, and reflect the 
underlying realities of the accounting transaction (substance rather 


than form).” 


The Manual contains specific instructions for the completion of 


various exhibits, including the following: 


EXHIBIT M, Custodial Credit Risk Related to Cash on Hand or 
Deposited with Financial Institutions, is used to report financial 


institution deposits by categories of risk. 


EXHIBIT K1, Schedule of Federal Assistance, is used to report 
federal expenditure information to the OSC to aid the OSC in 
preparing the State’s Schedule of Expenditures of Federal 
Awards (SEFA). 


EXHIBIT U3, Tax Abatement Disclosures, is used to report tax 
abatement disclosures, including the gross dollar amount of 


taxes abated during the period. 


EXHIBIT O1, Related Party Transactions, is used to disclose 


related party transactions. 


Governmental Accounting Standards Board (GASB) Statement No. 
33, Accounting and Financial Reporting for Nonexchange 
Transactions, as amended, requires that “cash and other assets 
provided in advance should be reported as advances [assets] by 
providers and as liabilities by recipients until allowable costs have 
been incurred and any other eligibility requirements have been met.” 


Therefore, OEDIT should report all grant money that it advances 


for the advanced-industry grant program as advances until the 


grantee has expended the grant funds on eligible activities. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


Based on our audit testwork, we identified issues with the Office’s 
exhibits, accounting for bank account interest and fees, and accounting 
for OEDIT’s advanced-industry grants. The following are the specific 


issues we identified: 


EXHIBIT ERRORS. We identified errors and omissions related to four of 
12 (33 percent) of the Office’s submitted exhibits for Fiscal Year 2020. 


Specifically, we found the following issues: 


EXHIBIT M, Custodial Credit Risk Related to Cash on Hand or 
Deposited with Financial Institutions. The Office did not include 
all of its bank accounts on the Exhibit M. Specifically, the Office 
excluded two bank accounts with June 30, 2020, balances that 
totaled $63,284. While reviewing the Exhibit M, we also found that 
the Office accounting staff failed to post interest and bank fees in 
CORE. Specifically, the Office’s accounting staff failed to post 
nearly $72,000 in interest and $1,500 in bank fees in CORE for 
Fiscal Year 2020. Furthermore, we found that the Office failed to 
post approximately $748,000 and $121,000 in interest and bank 
fees, respectively, in CORE for Fiscal Years 2017, 2018, and 2019. 
Based on the accounting staff’s subsequent review, they identified an 
additional $70,000 in interest that was not recorded in CORE. After 
we notified accounting staff of the errors and omissions, they 
submitted a corrected Exhibit M to the OSC and made adjustments 
in CORE to correct these errors. 


EXHIBIT K1, Schedule of Federal Assistance. The Office incorrectly 
calculated and reported expenditure amounts for two federal grants 
on its Exhibit K1. Specifically, for the first grant, Office accounting 
staff reported $2,570,674 of expenditures and should have reported 
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$264,999—a difference of $2,305,675—and reported $274,721 of 
expenditures instead of the correct amount of $270,725—a 
difference of $3,996—for the second grant. After we notified Office 
accounting staff of the errors, they submitted a corrected Exhibit K1 
to the OSC. 


EXHIBIT U3, Tax Abatement Disclosures. The Office incorrectly 
reported $14,183,793 instead of $14,244,745 for the Enterprise 
Zone Contribution Tax Credits on the Exhibit—an understatement 
of $60,952. Additionally, the Office incorrectly reported 
$11,939,853 instead of $11,720,336 for the Rural Tourism Act— 
an overstatement of $219,517. After we notified Office accounting 
staff of the errors, they submitted a corrected Exhibit U3 to the OSC. 


EXHIBIT O1, Related Party Transactions. Office accounting staff 
failed to submit an Exhibit O1 to the OSC to disclose that the Office 
paid $52,000 to the Colorado Housing and Finance Authority for 
administrative services while serving as the fiscal agent for the 
Revolving Loan Fund and Loan Loss Reserve programs. After we 
notified the Office accounting staff of the omission, they submitted 
an Exhibit O1 to the OSC. 


OEDIT GRANT ACCOUNTING ERRORS. We determined that Office 
accounting staff incorrectly recorded advances and expenditures in 
CORE for five of the six (83 percent) OEDIT advance-industry grants 


we reviewed. Specifically, we identified the following: 


Office accounting staff incorrectly recorded $86,880 as 
expenditures in CORE for Fiscal Year 2020 for grants that had not 
been expended, and should have been recorded as advances in 
CORE. As a result of the problems we found, the Office’s 
accounting staff began a review for similar issues of the remaining 
222 grants that we did not review as part of our audit. Based on the 
Office accounting staff’s review of 76 of the 222 grants, they 
identified an additional $215,127 of expenditures recorded in 
CORE between Fiscal Years 2017 and 2020 that should have been 


recorded as advances because they had not been spent by the end of 
Fiscal Year 2020. 


Office accounting staff incorrectly recorded $54,096 as 
expenditures in CORE in previous years that should have been 
recorded as expenditures in CORE for Fiscal Year 2020. Based on 
the accounting staff’s review of 76 of the 222 grants, they identified 
an additional $1.0 million in advances that the staff incorrectly 
recorded as expenditures in previous fiscal years that should have 


been recorded as expenditures in Fiscal Year 2020. 


Based on follow-up inquiries, we identified an additional three 
grants for which Office accounting staff incorrectly recorded 
unspent grant funds in Fiscal Year 2020. Specifically, Office 
accounting staff incorrectly recorded the advance of grant funds as 
an expenditure in CORE in previous fiscal years, and when grantees 
returned the unspent funds, Office accounting staff recorded $1,577 
as revenue for Fiscal Year 2020. These three grants were not 
included in our original sample or in the 76 grants the Office 


reviewed. 


As of the end of our audit, Office accounting staff had not submitted 
adjustments to correct the OEDIT grant accounting errors and were still 
reviewing the remaining OEDIT grants to determine what additional 


adjustments, if any, needed to be made in CORE. 


WHY DID THESE PROBLEMS OCCUR? 


The Office lacked adequate internal controls over its financial accounting 
fiscal year-end closing process for Fiscal Year 2020. Specifically, it did not 
have documented procedures for preparing and reviewing OSC-required 
exhibits, or for performing reconciliations between its fiscal year-end bank 
and CORE balances to ensure that fiscal year-end balances and 
information recorded in CORE and reported to the OSC for financial 


statement repor ting were accurate. 


Additionally, the Office did not have adequate internal controls over the 
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tracking and recording of grant information in CORE for its OEDIT 
advanced-industry grants. Specifically, it lacked written policies and 
procedures to ensure grantee reporting is consistent, that grantee annual 
reports are appropriately reviewed, and that grantee information is 
recorded accurately in CORE. Furthermore, the Office lacked adequate 


training on GASB requirements related to advances. 


WHY DO THESE PROBLEMS MATTER? 


Strong financial accounting internal controls, including effective review 
processes and procedures over financial transactions related to bank 
accounts, grant funds advanced to grantees, and exhibits, are necessary to 
ensure that balances are reported accurately and in accordance with 
generally accepted accounting principles. Without sufficient internal 
controls, the Office cannot ensure that it is providing complete and accurate 
financial information to the OSC and, ultimately, that the State’s financial 


statements are accurate. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-002 


The Office of the Governor (Office) should improve its internal controls 


over financial reporting by: 


A Developing and implementing policies and procedures for preparing 
and reviewing fiscal year-end exhibits submitted to the Office of the 


State Controller to ensure the exhibits are accurate and complete. 


B Developing and implementing policies and procedures requiring the 


completion of a fiscal year-end reconciliation between its bank 


I-19 


balances and the Colorado Operations Resource Engine (CORE) to 
ensure they are properly recorded in CORE and reported on the 
Exhibit M. 


C Developing and implementing policies and procedures for Office of 
Economic Development and International Trade advanced-industry 
grants to ensure expenditures and advances are accurately recorded 
in CORE. These policies and procedures should include a process 


for reviewing the annual reports submitted by the grantees and 
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ensuring grantees report grant advances and expenditures 


consistently. 


D Completing its review of the 222 advanced-industry grants that 
remained open as of June 30, 2020, and making any necessary 
adjustments in CORE. 


E Requiring Office staff to attend training on Governmental 
Accounting Standards Board requirements related to advances, as 


applicable. 


RESPONSE 


OFFICE OF THE GOVERNOR 
A AGREE. IMPLEMENTATION DATE: OCTOBER 2021. 


Processes and procedures for preparing and reviewing fiscal year- 
end exhibits submitted to the Office of the State Controller will be 
drafted and approved by June 30, 2021 to be used and implemented 
for the Fiscal Year 2021 Exhibits, typically due after Period 13 close 
in mid-August. 


B AGREE. IMPLEMENTATION DATE: OCTOBER 2021. 


Processes and procedures for completion of fiscal year-end 


reconciliation between bank balances and CORE will be drafted and 
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approved by June 30, 2021 and implemented for the Fiscal Year 
2021 Exhibit M, typically due to the OSC in mid-July. 


AGREE. IMPLEMENTATION DATE: JUNE 2021. 


Policies and procedures for the Office of Economic Development 
and International Trade (OEDIT)'s advanced industries process or 
reviewing annual report for all grants shall be drafted, approved, 
and implemented no later than 6/30/2021. These policies and 
procedures shall include a process for the program review of the 
annual reports submitted by the grantees, ensuring grantees report 
grant advances and expenditures of the advanced payments 
consistently. These processes and procedures will also include 
instructions on how these will be recorded by accounting and how 
accounting will work with the program to ensure all advanced 


payments are recorded properly in CORE. 


AGREE. IMPLEMENTATION DATE: JUNE 2021. 


OEDIT and the Advanced Industries program will complete their 
review of all open grants as of 06/30/2020 no later than 06/30/2021. 
All research, including the amount of the advanced payments 
expended and remaining and the potential CORE adjustments made 
shall be reported to the Office of the Governor's Controller no later 


than this date for review. 


AGREE. IMPLEMENTATION DATE: JUNE 2021. 


All accounting staff within the Office of the Governor and all of its 
Departments will be required to attend a mandatory training on 
GASB 33 and on the recording of advances no later than June 30, 
2021. The Office will work with OSC to identify potential trainings. 


OFFICE OF INFORMATION 
TECHNOLOGY 


The JT Consolidation Bill, codified under state statutes [Sections 24- 
37.5-102 through 24-37.5-112, C.R.S.], was enacted during the 2008 
Legislative Session. This bill consolidated IT operations under OIT for 
most of the Executive Branch, but excluded the Departments of Law, 
State, and Treasury, state-supported institutions of higher education, as 
well as the Judicial and Legislative branches. OIT provides IT services 
and infrastructure to the consolidated agencies, which includes data 
centers, servers, mainframe operations, data storage, operating systems, 
voice and data networks, and the public safety network. OIT also 
oversees information security, projects, and recommends strategies to 


maximize IT service delivery. 


GENTAX AND DRIVES 
POLICY COMPLIANCE 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this finding, along with the response, to be 
sensitive in nature and not appropriate for public disclosure. Therefore, 
the details of the following tinding and response have been provided to 
OIT in a separate, contidential memorandum. 


The Department of Revenue is the business owner of the GenTax and 
the Drivers’ License, Record, Identification, and Vehicle Enterprise 
Solution (DRIVES) systems. Each system fulfills the following 


functions: 
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= GenTax is the State’s primary information system for processing 
taxes collected by the State, including estate, sales, severance, 
business, and individual and corporate income taxes. During Fiscal 
Year 2020, the system was responsible for collecting nearly $15.8 
billion in revenue and paying out approximately $1.4 billion in 
refunds. Most users in the system work for the Department of 
Revenue’s Division of Taxation, but other divisions within the 
Department of Revenue have a variety of access that allows for and 
addresses reporting, accounting, monitoring, or other data sharing 


needs. 


= DRIVES provides an integrated solution for drivers and vehicle 
services, as well as business licensing and revenue accounting. State 
and County Divisions of Motor Vehicles’ employees use DRIVES. 
Most users in the system work for the State Division of Motor 
Vehicles, but other divisions within the Department of Revenue have 
a variety of access that allows for and addresses reporting, 


accounting, monitoring, or other data sharing needs. 


GenTax and DRIVES must comply with the Colorado Information 
Security Policies (Security Policies) that are developed and published by 
OIT. In addition, GenTax contains Federal Tax Information (FTI) and 
must adhere to the Internal Revenue Service (IRS) requirements and 
guidelines, contained within Publication 1075 (Pub 1075), Tax 
Information Security Guidelines for Federal, State, and Local Agencies 
and Entities, to ensure the adequate protection of the FTI data it 


receives, processes, stores, or transmits. 


WHAT WAS THE PURPOSE OF THE 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


Our audit work was designed to determine whether the Department of 
Revenue and OIT have a process in place to apply the appropriate 
security policies to GenTax and DRIVES. We performed our work 
through inquiry of Department of Revenue and OIT staff. 


I 


T 
N 
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HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against IRS Pub 1075 and 


Security Policies. 


WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 
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We identified problems with GenTax and DRIVES select configuration 


settings variance between IRS Pub 1075 and Security Policies. 


WHY DID THIS PROBLEM OCCUR? 


OIT staff indicated that the configuration variance occurred due to the 
way the network architecture is designed and because neither OIT nor 
the Department of Revenue performed an analysis to determine the 


proper policy requirement to apply. 
WHY DOES THIS PROBLEM MATTER? 


This problem increases the risk that the GenTax and DRIVES systems 
containing FTI data may not be protected with adequate security 
controls, as intended by management, which could threaten the 


confidentiality, integrity, and availability of the system and its data. 


CLASSIFICATION OF FINDING MATERIAL WEAKNESS 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-003 


The Governor’s Office of Information Technology (OIT) should work 
with the Department of Revenue to improve GenTax and the Drivers’ 
License, Record, Identification, and Vehicle Enterprise Solution 
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(DRIVES) IT controls and further protect Federal Tax Information data 
by: 


A Mitigating the problems identified in PART A of the confidential 
finding. 


B Mitigating the problems identified in PART B of the confidential 
finding. 


RESPONSE 


GOVERNOR’S OFFICE 
OF INFORMATION TECHNOLOGY 


A AGREE. IMPLEMENTATION DATE: JUNE 2021. 


The Governor’s Office of Information Technology (OIT) agrees to 
this finding. Please see the confidential response for more 


information. 


B AGREE. IMPLEMENTATION DATE: AUGUST 2020. 


The Governor’s Office of Information Technology (OIT) agrees to 
this finding. Please see the confidential response for more 


information. 


SYSTEM SECURITY PLAN 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this finding, along with the response and 
auditor's addendum, to be sensitive in nature and not appropriate for 
public disclosure. Therefore, the details of the following finding, 


response, and auditor's addendum have been provided to OIT in a 


separate, contidential memorandum. 


The overall objective of system security planning is to enhance the level 
of protection over information systems and resources. The purpose of a 
System Security Plan (Security Plan) is to document the security 
requirements for an information system and the security controls in 
place or planned for meeting those requirements. A Security Plan 
outlines the system description, environment, and architecture, as well 
as the roles, responsibilities, and the expected behavior of all individuals 
who access the system. The development of a Security Plan is a joint 
effort between OIT and the business owners. A business owner is the 
agency that owns the data, has the authority to authorize or deny access 
to the data, and is responsible for the accuracy, integrity, and timeliness 
of the data. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether OIT 
implemented our Fiscal Year 2019 System Security Plan 
recommendations to work with the business owner’s vendor to develop 
a process to ensure that the Security Plans for two critical systems are 
reviewed and updated when system material and/or architectural 
configuration changes occur and whether both Security Plans were 
updated accordingly. We performed our audit work through inquiry of 


OIT staff, as well as inspection of supporting documentation. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against the following: 


Section 9.5.2 [CISP - 017 SP - Security Planning] requires that an IT 
service provider shall review and update the security plan for the 


= 
T 
N 
N 


YUOLIGAV ALV.LS OGVUOTOS AHL JO LUOdAY 


— 
T 
N 
ON 


STATE OF COLORADO STATEWIDE FINANCIAL AUDIT - FISCAL YEAR ENDED JUNE 30, 2020 


information system prior to implementation and when system 
material or architectural configuration changes occur, problems are 
identified, and during security control assessments for those systems 
with a moderate data security categorization. 


According to the OSC’s policy, Internal Control System, state 
agencies must use the Green Book, published by the Government 
Accountability Office, as its framework for its system of internal 
control. The Green Book, Paragraph 16.01, Perform Monitoring 
Activities, states that management should establish and operate 
monitoring activities to monitor the internal control system and 
evaluate the results. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


During our Fiscal Year 2020 audit work, we found that OIT and the 
business owner’s vendor’s personnel revised one of the critical systems’ 
Security Plans by updating specific information in it. However, OIT did 
not provide information or documentation of a process to ensure that 
the Security Plans for the two critical systems are reviewed and updated 
when system material and/or architectural configuration changes occur. 
Additionally, OIT and the business owner’s vendor did not review and 


update the second critical system’s Security Plan. 


WHY DID THESE PROBLEMS OCCUR? 


OIT did not provide a cause as to why a process with the business 
owner’s vendor was not developed, nor did staff state why the second 
critical system’s Security Plan had not been updated during Fiscal Year 
2020. 


WHY DO THESE PROBLEMS MATTER? 


Without proper controls in place to ensure a Security Plan is 
documented in accordance with the Security Policies, there is a risk that 


required or appropriate IT security controls, including those related to 


financial reporting, may not be in place and operating effectively. 
Without a process in place for developing, reviewing, and updating a 
Security Plan, there is a risk of a reduced level of protection and 
assurance underlying the confidentiality, integrity, and availability of 


the information systems. 


CLASSIFICATION OF FINDING MATERIAL WEAKNESS 
THIS FINDING APPLIES TO PRIOR AUDIT RECOMMENDATION 2019-004C 


RECOMMENDATION 
2020-004 


The Governor’s Office of Information Technology (OIT) should 
strengthen information security controls over the State’s information 


systems and resources by: 


A Mitigating the information security problem noted in confidential 
finding PART A. 


B Mitigating the information security problem noted in confidential 
finding PART B. 


RESPONSE 


GOVERNOR’S OFFICE 
OF INFORMATION TECHNOLOGY 


A PARTIALLY AGREE. IMPLEMENTATION DATE: JUNE 2021. 


The Governor's Office of Information Technology partially agrees 
with this recommendation. Please see the detailed response for more 


information. 
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AUDITOR’S ADDENDUM 


OIT remains out of compliance with Section 9.5.2 [CISP - 017 SP - 
Security Planning]. 


B AGREE. IMPLEMENTATION DATE: AUGUST 2020. 


The Governor's Office of Information Technology agrees with this 
recommendation. The implementation of this item took place on 
August 27, 2020. Please see the detailed response for more 


information. 


GENTAX AND DRIVES— 
INFORMATION SECURITY 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
intormation technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this finding, along with the response and 
auditor's addendum, to be sensitive in nature and not appropriate for 
public disclosure. Therefore, the details of the following finding, 
response, and auditor's addendum have been provided to OIT in a 


separate, confidential memorandum. 


Responsibility for the reliability and availability of the GenTax and 
DRIVES systems is shared between the Department of Revenue and 
OIT. The Department of Revenue and its Division of Motor Vehicles 
also work with a third-party contractor, FAST Enterprises (FAST), to 
provide DRIVES support. 


The Department of Revenue is responsible for the information security 
of the GenTax and DRIVES systems and ensuring FAST is compliant 


with Security Policies. 


OIT’s Identity and Access Management team provides information 
security support for the GenTax and DRIVES network and 


applications. 


WHAT WAS THE PURPOSE OF THE 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether the 
Department of Revenue, with OIT’s support, had adequate information 
security controls in place and operated effectively over GenTax and 
DRIVES. We performed inquiries of and reviewed documentation 


provided by the Department of Revenue and OIT. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against Security Policy 


requirements and supplemental guidance. 


WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 


We found that OIT staff did not follow certain Security Policy 
requirements and supplemental guidance related to information security 
controls for GenTax and DRIVES. 


WHY DID THIS PROBLEM OCCUR? 


OIT staff stated that the practice currently in place is reliable and 
practical for GenTax and DRIVES. 
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WHY DOES THIS PROBLEM MATTER? 


The identified problem elevates the risk of system compromise and can 
affect the confidentiality, integrity, and availability of the GenTax and 
DRIVES systems. In turn, if GenTax and DRIVES information security 
processes and controls are not appropriately implemented and 
managed, this can adversely impact the reliability of data that is 
processed, stored, and generated by the systems, as well as the 


automated application controls that are built into them. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-005 


The Governor’s Office of Information Technology (OIT) should 
strengthen information security controls over the GenTax and the 
Drivers’ License, Record, Identification, and Vehicle Enterprise Solution 
(DRIVES) systems by discontinuing the current practice to ensure 
compliance with Colorado Information Security Policies. 


RESPONSE 


GOVERNOR’S OFFICE 
OF INFORMATION TECHNOLOGY 


DISAGREE. IMPLEMENTATION DATE: NOT APPLICABLE. 


The Governor’s Office of Information Technology disagrees with this 
finding. Please see the confidential response for more information. 


AUDITOR’S ADDENDUM 


To reduce the risk of system compromise and the related impact to the 
confidentiality, integrity, and availability of systems and data, OIT 
should follow Security Policy requirements and supplemental guidance 
related to information security controls over GenTax and DRIVES. 


GENTAX—INFORMATION 
SECURITY 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this tinding, along with the response, to be 
sensitive in nature and not appropriate for public disclosure. Therefore, 
the details of the tollowing finding and response have been provided to 


OIT in a separate, contidential memorandum. 


Responsibility for the reliability and availability of the GenTax system 


is shared between OIT and the Department of Revenue. 


OIT provides primarily logical access and system security support for 
the GenTax operating system and application. As part of providing this 
support, OIT’s Identity and Access Management team is responsible for 
user access management, which includes ensuring that unauthorized 
employees do not retain access to the operating system and that inactive 


accounts are disabled within the documented requirements. 
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WHAT WAS THE PURPOSE OF THE 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether OIT 
implemented our Fiscal Year 2019 recommendations. Specifically, we 
recommended that OIT should improve GenTax information security 
controls by prioritizing and successfully implementing the enterprise- 
wide access management system to ensure account management 
controls are in place and operating effectively, including that user 
accounts are automatically disabled after 90 days of inactivity. These 
recommendations were originally made, in part, in Fiscal Year 2014. 
We performed our audit work through inquiry of OIT management and 


staff, as well as inspection of supporting documentation. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against IRS Pub 1075, 


specific to system account management requirements. 


Additionally, we measured the results of our audit work against OIT 
Cyber Policies [POL 102, Section 8.1.10], which requires that the 
information system automatically disables inactive accounts after 


90 days of inactivity where technically feasible. 


WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 


During our Fiscal Year 2020 audit work, we found that OIT partially 
implemented our prior audit recommendations. OIT did deploy an 
enterprise-wide access management system to address the specific 
account management control issues we noted and to disable GenTax 
accounts that have been inactive for 90 days. However, the system was 
not effectively performing these actions. 
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WHY DID THIS PROBLEM OCCUR? 


OIT staff stated that the enterprise-wide access management system had 
issues during the deployment and that there was an error with the 
90-day inactive coding that caused issues and prevented the account 


disabling process. 


WHY DOES THIS PROBLEM MATTER? 
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The deficiencies noted in our confidential finding increase the risk of 
unauthorized access and could, therefore, threaten the confidentiality, 
integrity, and availability of the GenTax system and its data. 
Ultimately, if key GenTax information security processes and controls, 
including those related to automatic disabling of system user accounts, 
are not in place and operating effectively, the State’s ability to conduct 
tax processing operations in a secure manner could be adversely 
impacted, as well as the reliability of the data related to the State’s 


financial reporting. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 


THIS FINDING APPLIES TO PRIOR AUDIT RECOMMENDATIONS 2019-005A AND 
2019-006 


RECOMMENDATION 
2020-006 


The Governor’s Office of Information Technology (OIT) should comply 
with Internal Revenue Service Publication 1075 and OIT Cyber Policies 
by resolving the issues encountered during the deployment and coding 
issues in its enterprise wide access management system to ensure 
appropriate account management controls are in place and operating 
effectively, including the operating system automatically disabling user 


accounts after 90 days of inactivity. 
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RESPONSE 


GOVERNOR’S OFFICE 
OF INFORMATION TECHNOLOGY 


AGREE. IMPLEMENTATION DATE: SEPTEMBER 2020. 


The Governor’s Office of Information Technology (OIT) agrees to this 
finding. The recommendation has been implemented at this time. Please 


see the confidential response for more information. 


GENTAX—INFORMATION 
SECURITY 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this tinding, along with the response, to be 
sensitive in nature and not appropriate for public disclosure. Therefore, 
the details of the following finding and response have been provided to 


OIT in a separate, contidential memorandum. 


OIT primarily provides GenTax system infrastructure services to the 


Department of Revenue. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether OIT 


implemented our Fiscal Year 2019 GenTax information security related 


recommendation. We recommended that OIT should implement 
security controls over GenTax to ensure compliance with applicable 
laws, regulations, and policies. We performed our work through inquiry 
of OIT management and staff, as well as inspection of supporting 


documentation. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit against the IRS Pub 1075 and OIT 
Cyber Policies. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


During our Fiscal Year 2020 audit work, we found that OIT partially 


implemented our prior audit recommendation. 


WHY DID THESE PROBLEMS OCCUR? 


OIT explained that the responsibilities for implementing the controls 
noted in our recommendation were not clear and needed additional time 
to clarify with those responsible for them, including OIT’s internal team 
and the technical leads from the Department of Revenue’s GenTax 
vendor. Also, OIT indicated that the Department of Revenue is 
currently weighing two options, one of which is a new version of the 
GenTax application and the other being OIT’s current solution. With 
the Department of Revenue currently considering the options, OIT has 


placed any further actions on hold. 


WHY DO THESE PROBLEMS MATTER? 


If key GenTax information security processes and controls are not in 
place and operating effectively, the State may not be able to detect or 
correct issues related to the accuracy, completeness, and timeliness of 
the data processed or stored within the system. These issues, in turn, 
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could adversely impact the overall data reliability of the State’s financial 
reporting. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 


THIS FINDING APPLIES TO PRIOR AUDIT RECOMMENDATIONS 2019-007B AND 
2019-007C 


RECOMMENDATION 
2020-007 


The Governor’s Office of Information Technology (OIT) should 
implement information security controls over GenTax to ensure 
compliance with applicable laws, regulations, and policies by working 


with the Department of Revenue by: 


A Implementing recommendation PART A as noted in the confidential 
finding to mitigate the specific related problems noted in the 


confidential finding. 
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iss) 


Implementing recommendation PART B as noted in the confidential 
finding to mitigate the specific related problems noted in the 


confidential finding. 


C Implementing recommendation PART C as noted in the confidential 
finding to mitigate the specific related problems noted in the 


confidential finding. 
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RESPONSE 


GOVERNOR’S OFFICE 
OF INFORMATION TECHNOLOGY 


A AGREE. IMPLEMENTATION DATE: JANUARY 2021. 


The Governor's Office of Information Technology agrees with this 
recommendation. Please see the detailed response for more 


information. 
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B AGREE. IMPLEMENTATION DATE: MAY 2021. 


The Governor's Office of Information Technology agrees with this 
recommendation. Please see the detailed response for more 


information. 


C AGREE. IMPLEMENTATION DATE: JUNE 2021. 


The Governor's Office of Information Technology agrees with this 
recommendation. Please see the detailed response for more 


information. 


STATE DATA CENTER 
PHYSICAL ACCESS 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this finding, along with the response and 
auditor's addendum, to be sensitive in nature and not appropriate for 
public disclosure. Therefore, the details of the following finding, 
response, and auditor's addendum have been provided to OIT in a 


separate, contidential memorandum. 
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OIT maintains two data centers throughout the State. The purpose of 
these data centers is to centrally manage the servers and computers that 


store critical information for various state agency systems. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether OIT 
implemented our Fiscal Year 2017 Physical Security recommendation. 
Specifically, we recommended that OIT should ensure physical access 
management processes are effective and comply with policies and 
procedures. We performed our audit work through inquiry of data 


center management and inspection of supporting documentation. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our work against Security Policies, which 
were updated in October 2019, and OIT Cyber Policies, which are 
composed of policies developed by OIT for those IT services it provides 


to the state agencies. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


During our Fiscal Year 2020 audit work, we identified certain parts of 
the prior audit recommendation that were not fully implemented. As a 
result, problems related to physical security and access management at 


the State’s main data center still exist. 


WHY DID THESE PROBLEMS OCCUR? 


OIT data center management stated that personnel turnover created 
difficulties in finalizing a Standard Operating Procedure and 
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establishing an agreement with the party involved with remediating the 
problems over physical access. In addition, management stated that an 
agreement is on hold until OIT is able to develop policies and 
procedures. Additionally, management cited unexpected complications 
which arose from COVID-19, protests, and subsequent rioting that 
limited their ability to fully implement the recommendations. 


WHY DO THESE PROBLEMS MATTER? 


In combination, these deficiencies increase the risk of inappropriate or 
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unauthorized physical access to systems and data, which could result in 
a risk to the confidentiality, availability, and integrity of state systems 
and data housed at the data center. Ultimately, if physical access to the 
data center is not managed appropriately, it could adversely impact the 
accuracy and completeness of information relevant to the State’s 


financial reporting activities. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING APPLIES TO PRIOR AUDIT RECOMMENDATIONS 2019-013C, 


2019-013D, 2018-012C, 2018-012D, 2017-009C, AND 2017-009D 


RECOMMENDATION 
2020-008 


The Governor’s Office of Information Technology (OIT) should ensure 
physical access management processes are effective and comply with 


Colorado Information Security Policies and OIT Cyber Policies by: 


A Prioritizing staff to finalize the draft Standard Operating Procedure 
over physical access to mitigate the specific related problems noted 


in the confidential finding. 


B Developing final procedures and entering into a written agreement 
over physical access to mitigate the specific related problems noted 


in the confidential finding. 
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RESPONSE 


GOVERNOR’S OFFICE 
OF INFORMATION TECHNOLOGY 


A PARTIALLY AGREE. IMPLEMENTATION DATE: JUNE 2021. 


The OIT Data Center Manager agrees that the internal formal 
procedure needs to be drafted in the approved OIT SOP format and 
finalized. The management team will make every effort to finalize 
this SOP before Dec 31, 2020. 


The OIT Data Center Management team does not agree with the 
classification of "Significant Deficiency" as this is an administrative 
finding to record actions already being taken. 


AUDITOR’S ADDENDUM 


Colorado Information Security Policies and OIT Cyber Policies require 
OIT to oversee and manage the problems identified in the confidential 
finding. The audit finding classification is solely determined by the 


auditor. 


B PARTIALLY AGREE. IMPLEMENTATION DATE: JUNE 2021. 


This particular recommendation is dependent on the willingness of 
external agencies to agree to an agreement for the management of 
physical security primarily under the responsibility of OIT. OIT 
management will make every effort to put recommended agreements 
in place, or find a suitable alternative to the recommendation. This 
agreement, as there is no similar agreement between OIT and 
another agency, will take time to draft, route, and obtain approval 
from the appropriate management level, therefore the anticipated 


implementation date is June 30, 2021. 


The OIT Data Center Management team does not agree with the 
classification of "Significant Deficiency" as this is an administrative 


finding that does not have any direct effect on the multiple layers of 
security in place at the data center. 


AUDITOR’S ADDENDUM 


Colorado Information Security Policies and OIT Cyber Policies require 
OIT to oversee and manage the problems identified in the confidential 
finding. The audit finding classification 1s solely determined by the 


auditor. 


PANDEMIC 
UNEMPLOYMENT 
ASSISTANCE SYSTEM— 
CHANGE MANAGEMENT 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this tinding, along with the response, to be 
sensitive in nature and not appropriate tor public disclosure. Therefore, 
the details of the following finding and response have been provided to 


OIT in a separate, contidential memorandum. 


The Department of Labor and Employment (Department) is responsible 
for the administration of the State’s Unemployment Insurance (UI) 
program. As part of the administration of this program, the Department 
uses the Colorado Unemployment Benefits System (CUBS) to aid in 
determining eligibility for UI benefits. The Department and OIT has 
been working with an outside vendor since June 2018 on the UI 


modernization project to update the current benefits system, CUBS. 
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In March 2020, the Federal government implemented the Pandemic 
Unemployment Assistance (PUA) program to provide UI assistance to 
individuals not eligible for regular UI, which included, as an example, 
self-employed individuals. Due to the age of CUBS, the Department and 
OIT were unable to update CUBS’ coding to implement the PUA 
program requirements; therefore, a fourth UI system, the PUA system, 


was implemented during April 2020 to handle these claims. 


The Department and OIT, in coordination with the outside vendor, 
provides primary change management support services for the PUA 


system. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether the 
Department and OIT had sufficient IT internal controls in place relating 


to change management with the PUA system. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against the Security Policies 
and OIT Cyber Policy. 


WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 


Through our inquiries with Department, OIT, and vendor staff, we 
noted a problem with change management controls over the PUA 


system. 


WHY DID THIS PROBLEM OCCUR? 


The Department, OIT, and vendor staff indicated that the problem 


occurred due to the urgency in the need to implement the PUA system 


and limited resources. 


WHY DOES THIS PROBLEM MATTER? 


The lack of properly implemented change management controls over 
the PUA system increases the risk of unauthorized changes being made 
to the PUA system, which could adversely impact data reliability of 


financial reporting. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-009 


The Governor’s Office of Information Technology should work with 
the Pandemic Unemployment Assistance vendor, as applicable, to 


mitigate the problem noted in the confidential finding. 


RESPONSE 


GOVERNOR’S OFFICE 
OF INFORMATION TECHNOLOGY 


AGREE. IMPLEMENTATION DATE: FEBRUARY 2021. 


The Governor’s Office of Information Technology (OIT) agrees with 
this finding. OIT remediated this finding as of February 2021. 


— 
T 
aN 
Oo 


YUOLIGAV ALV.LS OGVUOTOSO AHL JO LUOdAU 


a 
EN 
EN 


STATE OF COLORADO STATEWIDE FINANCIAL AUDIT - FISCAL YEAR ENDED JUNE 30, 2020 


OFFICE OF THE GOVERNOR 


The following recommendations relating to internal control deficiencies 
each classified as a MATERIAL WEAKNESS or SIGNIFICANT DEFICIENCY 
were communicated to the Office of the Governor (Office) in the 
previous year, and have not been remediated as of June 30, 2020, 
because the original implementation date provided by the Office is in a 
subsequent fiscal year. These recommendations can be found in the 
original report and SECTION III: PRIOR FINANCIAL RECOMMENDATIONS 
of this report. 


A [1] 
CURRENT REC. NO. 2020-010 PRIOR REC. NO. 2019-004 IMPLEMENTATION DATE = vi 2021 
D [1] 


CLASSIFICATION MATERIAL WEAKNESS 


CUBS, CATS, AND CLEAR—INFORMATION SECURITY = 
A AUGUST 2020 

B SEPTEMBER 2020 

c [i] 

D JUNE2021 


CURRENT REC. NO. 2020-011 PRIOR REC. NO. 2019-027 IMPLEMENTATION DATE 


CLASSIFICATION SIGNIFICANT DEFICIENCY 


[1] This part of the recommendation has been implemented, partially implemented, not implemented, or is 
no longer applicable. SEE SECTION III: PRIOR FINANCIAL RECOMMENDATIONS of this report for information 
regarding this part of the recommendation. 


DEPARTMENT OF 
HEALTH CARE POLICY 
AND FINANCING 


The Department of Health Care Policy and Financing (Department) is 
responsible for developing financing plans and policy for publicly funded 
health care programs. The principal programs the Department administers 
are (1) Health First Colorado, Colorado’s Medicaid program (Medicaid) 
which provides health services to eligible needy persons, and (2) the federal 
Children’s Health Insurance Program, which is known in Colorado as the 
Children’s Basic Health Plan (CBHP). CBHP furnishes subsidized health 
insurance for low-income children aged 18 years or younger and pregnant 


women 19 and older who are not eligible for Medicaid. 


For Fiscal Year 2020, the Department was appropriated approximately 
$10.8 billion and 545 full-time equivalent (FTE) staff. 


The following charts show the appropriations by funding source and 
FTE staff by major areas, respectively, within the Department for Fiscal 
Year 2020. 


DEPARTMENT OF HEALTH CARE POLICY AND FINANCING 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 


CASH FUNDS 
$1,399.0 


GENERAL FUNDS 


$2,974.4 
FEDERAL FUNDS 
$6,355.6 
REAPPROPRIATED 
FUNDS 
$93.7 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 
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DEPARTMENT OF HEALTH CARE POLICY AND FINANCING 
FISCAL YEAR 2020 FULL-TIME EQUIVALENT STAFF 
BY MAJOR AREAS 


EXECUTIVE 
DIRECTOR'S OFFICE OFFICE OF 
504 COMMUNITY 
LIVING 
41 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


CONTROLS OVER 
CAPITAL ASSETS 


The Department’s Controller Division staff are responsible for all of the 
Department’s financial reporting, including the accurate accounting and 
reporting of the Department’s capital assets. As of June 30, 2020, the 
Department had capital assets, such as software and equipment, totaling 


approximately $187.8 million. 


Costs related to capital assets can be either expensed or capitalized 
based on the nature of the costs and relevant rules and regulations. If 
expensed, a capital asset-related expenditure is recorded immediately 
and included as an expense for the current fiscal year. In contrast, costs 
meeting specified criteria for capitalization should be recorded as an 
asset and expensed over time as either depreciation or amortization, 
depending on the type of asset. Depreciation and amortization are 
methods used to allocate the cost of a specific type of asset over the 
asset’s useful life. Depreciation is generally used for tangible assets while 
amortization is used for intangible assets that lack physical substance, 
such as software. Criteria for capitalization include whether the 
purchase, upgrade, or enhancement is over an established dollar 


threshold, is expected to benefit future years, or meets other accounting 


requirements. For Fiscal Year 2020, the Department recorded 
$23.2 million in software amortization expense in the Colorado 


Operations Resource Engine (CORE), the State’s accounting system. 


During Fiscal Year 2017, the Department implemented a new 
information system called Colorado interChange, as a replacement for 
its previous Medicaid Management Information System (MMIS). 
Colorado interChange was substantially complete and went live on 
March 1, 2017. The Department entered into a contract with a vendor, 
or fiscal agent, to develop and install Colorado interChange and to 


provide ongoing services related to the system. 


In April 2019, the Department updated its contract with the fiscal agent 
to add the development and installation of the Claims Editing Solution, 
a tool that increases speed and accuracy of processing claims, and 
updated requirements for the fiscal agent to provide ongoing system 


support. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to determine whether the 
Department had adequate internal controls in place over the accounting 
and reporting of capital assets and whether the Department was in 
compliance with the Office of the State Controller’s (OSC) Fisca/ 
Procedures Manual (Manual), Governmental Accounting Standards 
Board Statement No. 51, Accounting and Financial Reporting for 
Intangible Assets (GASB 51), and State Fiscal Rules. 


During our audit, we reviewed the Department’s capital assets costs 
related to Colorado interChange that were expensed during Fiscal Year 
2020. Specifically, we reviewed contracts, contract amendments, 
accounting transactions, and supporting documentation related to the 


capitalization and amortization of Colorado interChange. We reviewed 
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the contracts and transactions to determine whether capital asset 


expenses were appropriately capitalized and amortized, as applicable. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against the following: 


GASB 51 was issued to aid governments in the recognition of, and 
accounting for, intangible assets, such as government-developed 
software. The guidance in GASB 51 outlines phases during the 
design and configuration of intangible assets in which costs should 
be expensed or when they should be capitalized as part of the asset. 
Specifically, GASB 51 provides that costs at the post-implementation 
or operation stage should be capitalized if they are related to the 
continuing design and configuration of software, and they increase the 
software’s functionality or efficiency, or extend its estimated useful life. 
Therefore, any costs incurred for enhancements or modifications of 
computer software that increase the capacity or efficiency of the 


assets should be capitalized. 


The Manual (Chapter 4, Section 2.12) provides guidance on 
accounting and reporting of intangible assets of the State. The 
Manual states that costs for updates and enhancements that are 
material in relation to total project costs should be capitalized 


during the post-implementation or operation stage. 


The Manual (Chapter 4, Section 2.4.1) provides various dollar 
thresholds for the capitalization of state assets. For example, the 
capitalization threshold for intangible assets is $50,000. In addition, 
the Manual states, “For expenditures related to repair, remodeling, 
or expansion of an existing capital asset, the department must 
determine if the [cost] increased the capacity, operating efficiency or 
extended the useful life of the asset. If so, such [costs] are capitalized 


as part of the cost of the asset.” 


State Fiscal Rule 1-2(3.5), Internal Controls, requires that 
departments implement internal accounting and administrative 
controls that reasonably ensure that financial transactions are 
accurate, reliable, and conform to State Fiscal Rules. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


Overall, we identified problems with the Department’s capitalization of 
expenditures for Colorado interChange system modifications for Fiscal 
Years 2017 through 2020. Specifically, we found the following: 


FAILURE TO CAPITALIZE COLORADO INTERCHANGE ENHANCEMENT 
costs. The Department incorrectly expensed, rather than 
capitalized, payments made during Fiscal Year 2020 for the 
Colorado interChange upgrade and enhancement that increased the 
efficiency of the system and met the State’s capitalization 
requirements. We also reviewed the Department’s contract with the 
fiscal agent and found that the Department expensed, rather than 
capitalized, similar payments made during Fiscal Years 2017 
through 2019, including expenses for the Claims Editing Solution. 
These errors resulted in correcting adjustments to Fiscal Year 2020 
activity, totaling approximately $33.3 million for Fiscal Years 2017 
through 2019, and $31 million for Fiscal Year 2020. 


ERRORS IN AUDIT ADJUSTMENT CALCULATION. When initially 
calculating the appropriate correcting adjustment for Colorado 
interChange capital asset omissions that we identified through our 
audit, Department staff made several errors, totaling approximately 
$811,000, on its spreadsheet used as a supporting document for the 
audit adjustment. Specifically, the Department failed to include the 
Fiscal Year 2017 upgrade and enhancement payments reported by 
the Controller Division, and had a formula error within the 


spreadsheet. 
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FAILURE TO RECORD AMORTIZATION IN CORE. The Department 
made adjusting entries to record Colorado interChange capital 
assets that we identified through our audit, but failed to record the 
related amortization. After we brought the error to the Department’s 
attention, Department staff recorded amortization totaling 
$11.1 million for Fiscal Years 2017 through 2020. 


WHY DID THESE PROBLEMS OCCUR? 


Overall, we found that the Department does not have adequate internal 


controls in place over the recording of capital assets, specifically: 


LACK OF A COMPREHENSIVE PROCESS OVER CAPITALIZATION OF COSTS, 
AND CORRESPONDING REVIEW. The Department did not have a 
comprehensive process in place to analyze software payments to identify 
those costs related to system modifications that increase the efficiency 
of its computer software projects, such as Colorado interChange. 
Specifically, the Controller Division did not sufficiently analyze the 
nature of the expenditures and follow up with Department staff, as 
applicable, to determine the appropriate accounting treatment for the 
payments. Additionally, the Department did not have a process in place 
to ensure amortization was calculated and recorded for prior and 
current year capitalized cost adjustments recorded by the Department. 
Further, the Controller Division lacked an effective review process over 


the capitalization of costs recorded in CORE. 


WHY DO THESE PROBLEMS MATTER? 


Without strong internal controls over capital assets, the Department 
risks significantly misstating its assets in CORE and, ultimately, in the 
State’s financial statements. 


CLASSIFICATION OF FINDING MATERIAL WEAKNESS 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-012 


The Department of Health Care Policy and Financing should improve 
its internal controls over the accounting and reporting of capital assets 


by: 


A Ensuring a comprehensive process is in place to analyze future 
information system costs to identify costs related to system 
enhancements and modifications that increase the efficiency of its 
computer software projects that should be capitalized. This process 
should include steps to calculate any amortization of capitalized 


assets that should be recorded in the State’s accounting system. 


B Implementing an effective review process over the expenditure or 
capitalization and amortization of software-related assets to ensure 
entries made to the State’s accounting system are complete and 
accurate, and are in accordance with Governmental Accounting 
Standards Board Statement No. 51, the Office of the State 


Controller’s Fiscal Procedures Manual, and State Fiscal Rules. 


RESPONSE 


DEPARTMENT OF HEALTH CARE 
POLICY AND FINANCING 


A AGREE. IMPLEMENTATION DATE: JUNE 2021. 


The Department will update its current Capital Asset process to 
ensure that any costs associated with post-implementation system 
enhancements are capitalized and amortized under the 
Governmental Accounting Standards Board Statement Number 51. 
A process to coordinate with the Health Information Office, who 
monitors and tracks system changes and related expenditures, will 
be documented and implemented to assist the Controller Division 
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with identifying any expenditures for system projects qualified for 
capitalization under the Government Accounting Standards Board 
Statement Number 51 that meet the materiality threshold in the 
Office of the State Controller’s Fiscal Procedures Manual. 


B AGREE. IMPLEMENTATION DATE: JUNE 2021. 


The Department will develop, document and implement a more 
robust and thorough review process for expenditures to be 
capitalized and amortized in accordance with the Governmental 
Accounting Standards Board Statement Number 51, the Office of 


State Controller's Fiscal Procedures Manual and State Fiscal Rules. 


SOC REPORTS 


The Department has three systems referred to as the COMMIT Project, 
comprised of: (1) Pharmacy Benefit Management System (PBMS), 
which provides processing of pharmacy and drug rebates; (2) Colorado 
interChange, which processes provider enrollment and payments; and 
(3) the Business Intelligence and Data Management System (BIDM), 
which provides data analytics and reporting functions. These systems 
all have unique functions, and the Department uses them to administer 


and manage federal programs, such as Medicaid and CBHP. 


The Department contracts with several third-party service organizations 
for the processing of Medicaid data, claims, and the overall 
maintenance and operations of the systems. The following table outlines 


each service organization and the corresponding system it services: 


Service Organization System 


Magellan Health PBMS 
DXC Technology Services Colorado interChange 
IBM Watson Health BIDM 


The Department’s contractual agreements with these three service 
organizations require each to have an examination performed by an 
independent service auditor. Examinations of this type are governed by 
the American Institute of Certified Public Accountants (AICPA) and 
result in one of various types of System and Organization Controls 
(SOC) reports. For example, a SOC 1, Type II report provides the 
service auditors’ opinion as to whether management has fairly presented 
its description of the service organization’s system and that internal 
controls over financial reporting have been suitably designed, and are 
operating effectively to achieve the related control objectives over a 
specified period of time. Service organizations will also state that there 
are certain internal controls that must be designed, in place, and 
operating effectively at the user entity, in this case at the Department, 
for the controls listed in the report that are supported by the service 


organization to be fully relied upon by the Department. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether the 
Complementary User Entity Controls (User Controls) identified by IBM 
Watson Health for BIDM were in place and operating effectively over 
the period of review. We obtained the most recent reports provided to 
the Department by IBM Watson Health, including three SOC 1 reports 
that covered the components that comprise BIDM. We reviewed the 
SOC reports and inquired of Department staff in order to understand 


their key IT user controls. 
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HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against the following: 


BIDM Contract Amendment No. 7 Exhibit C requirements, sections 
37.2-37.2.1, effective February 2019, states that the Contractor 
shall pay and arrange for a SOC 1, Type II audit annually, to be 
conducted by an independent auditor, covering work performed by 
the Contractor at the Contractor's facility and data center sites and 


provide the report to the Department. 


BIDM Contract Exhibit A, Transmittals, Section 6.5 states that 
transmittals may not be used in place of an amendment, and may 
not, under any circumstances, be used to modify the terms of the 


contract. 


WHAT PROBLEMS DID THE AUDIT WORK 
IDENTIFY? 


We identified the following problems related to the Department’s 


oversight of its SOC reporting requirements: 


The Department received and accepted a SOC 1, Type I report and 
did not ensure that a SOC 1, Type II audit was conducted over work 
performed by IBM Watson Health, its service organization for 
BIDM, at its facility and data center sites, as required by its contract 
with IBM Watson Health. A SOC 1, Type I report only provides the 
service auditors’ opinion that internal controls over financial 
reporting have been suitably designed to achieve the related control 
objectives as of the specified date, not over a period of time, which 


is part of aSOC 1, Type II report. 


The Department executed a contract change to the IBM Watson 
Health contract through a transmittal to accept the results of a 
SOC 1, Type I audit, instead of the required SOC 1, Type II. 


WHY DID THESE PROBLEMS OCCUR? 


These problems occurred because of the following: 


The Department has not ensured that staff are trained related to 
contractually-specified SOC reporting requirements and the controls 
its service organizations have designed, implemented, and operate 
over relevant operational processes, as identified in the SOC 1, Type 
II reports. This will better inform the need for the SOC 1, Type II 
reports and how the Department’s service organizations’ internal 


control systems impact the Department’s internal control system. 


The Department continues to have problems with SOC 1, Type II 
reports. Specifically, between Fiscal Years 2017 and 2019, we 
identified problems with: 


The legacy MMIS—In Fiscal Year 2017, the Department did not 
obtain an annual SOC 1, Type II report over MMIS, for the 
period of July 1, 2016, through February 28, 2017, as required 
by the contract. This recommendation was implemented in Fiscal 
Year 2019. 


The Colorado interChange system—In Fiscal Year 2017, the 
Colorado interChange SOC 1, Type II report lacked coverage of 
database controls. In Fiscal Year 2019, the Department did not 
ensure that relevant IT general controls over financial reporting 
were identified and included for testing in the scope of its service 
organization’s SOC 1, Type II reports. These have yet to be fully 


implemented. 


IBM Watson Health and the service auditor informed the 
Department that the service auditor would not be able to conduct a 
SOC 1, Type II audit. Therefore, the Department documented 
contract changes to accept a SOC 1, Type I audit, however, this was 


through a transmittal versus a contract amendment. 


lame! 
TR 
N 
N 


YWOLIGNV ALV.LS OGVUOTOSO AHL JO LUOdAU 


l-56 


STATE OF COLORADO STATEWIDE FINANCIAL AUDIT - FISCAL YEAR ENDED JUNE 30, 2020 


WHY DO THESE PROBLEMS MATTER? 


By not holding service organizations accountable to contract 
requirements for performing respective SOC 1, Type II annual 
examinations, there is a risk that the respective service organizations’ 
internal controls over financial reporting may not be implemented and 
operating effectively during the audit period, or over a specified period 
of time. Additionally, when contract requirements are not followed or 
amended as required, this may put the State in a position that is not 
legally enforceable with the contractor. Furthermore, if the Department 
does not ensure that responsible staff are properly trained, 
knowledgeable, and understand the purpose and scope of its service 
organizations’ contracts and SOC reports, there is a risk that the 
Department may not be able to identify problems that could impact its 
internal controls over financial reporting and reporting to the federal 


government for the Medicaid and CBHP programs. 


CLASSIFICATION OF FINDING MATERIAL WEAKNESS 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-013 


The Department of Health Care Policy and Financing (Department) 
should strengthen internal controls over financial reporting by: 


A Ensuring that the service organization for the Business Intelligence 
and Data Management System (BIDM) complies with contract 
requirements to perform and provide an annual System and 
Organization Control (SOC) 1, Type II audit. 


iss) 


Developing, documenting, and implementing Department policies 
and procedures that outline the acceptable methods for making 
contract changes and when to use contract amendments or the 


transmittal process. 
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C Ensuring that staff are properly trained on their responsibilities 
related to the SOC audit reporting requirements, and ensuring that 
they understand the controls their service organizations have 
designed, implemented, and operate over relevant operational 
processes and how they impact the Department’s own internal 
control system. 


RESPONSE 


DEPARTMENT OF HEALTH CARE 
POLICY AND FINANCING 


YWOLIGNV ALV.LS OGVUOTOSO AHL JO LUOdAU 


A PARTIALLY AGREE. IMPLEMENTATION DATE: SEPTEMBER 2020. 


The Department made a one-time decision to allow a SOC 1, Type 
I audit to be conducted for the Department's Data Warehouse for 
FY18-19 after numerous discussions with the contractor about 
extenuating circumstances. Under contract law, any party to a 
contract has the right to waive the failure of the other party to meet 
a requirement. This concept is enshrined in the contract in section 
19.N, which specifies that a waiver of any failure to perform doesn't 


imply a waiver of any other failure. 


In this case, the contractor informed the Department that it would 
not be able to comply with the requirement to complete a Type II 
audit for one year. The Department had three options: 1) hold the 
contractor in breach and seek damages - based on the circumstances, 
termination of the contract was determined to be infeasible; 2) 
provide an unconditional waiver authorizing the failure to perform; 
or 3) provide a conditional waiver authorizing the failure if the 
contractor does something to mitigate it. Based on the 
circumstances, the Department chose to provide a conditional 
waiver of the contractor's failure to complete the Type II audit so 
long as the contractor instead completed a Type I audit to mitigate 
the failure within the recommended audit report delivery timeline 
provided by the OSA. 
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The Department agrees a SOC 1, Type II audit is required by service 
organizations under their contract unless prevented by 
circumstances beyond the control of the Department and service 


organization. 


AUDITOR’S ADDENDUM 


The Department’s contract requires that the service organization 


conduct and provide a SOC 1, Type I audit and report, on an annual 


basis. The Department did not ensure that this provision was executed. 


B 


DISAGREE. IMPLEMENTATION DATE: NOT APPLICABLE. 


The Department does not agree that this one-time decision to issue 
a transmittal rather than a contract change justifies this 


recommendation. 


Specifically related to BIDM and as of September 2018, IBM 
Watson Health completed the business transfer of Truven Health 
Analytics — the Department’s original BIDM service organization - 
after acquiring it in 2016. In this transfer, IBM Watson inherited the 
contract requirements to pay and arrange for a SOC 1, Type II audit 
on an annual basis. Around this same time period of September 
2018, Truven Health Analytic’s service auditor determined there 
was a conflict of interest with IBM Watson Health and would not 
be able to conduct the SOC 1, Type II audit for Fiscal Year 2019. 
IBM Watson contracted with another service auditor and planning 
for the audit began in the fourth quarter of Calendar Year 2018. 


The Department issued a transmittal to waive the contract 
requirement on a one-time basis, and this was the appropriate action 
to take in this instance. The Department agrees that it is a best 
practice to document guidelines for staff to use to determine whether 
contract changes should be communicated via a transmittal or a 
contract amendment, and will develop, implement, and 


communicate such guidelines. 


AUDITOR’S ADDENDUM 


Exhibit A, Transmittals, Section 6.5 of the Department’s BIDM 
Contract, states that transmittals may not be used in place of an 
amendment, and may not, under any circumstances be used to modity 
the terms of the Contract. 


C PARTIALLY AGREE. IMPLEMENTATION DATE: IMPLEMENTED. 


The Department does not agree that the finding in this report 


justifies this recommendation. 


The Department does agree that properly trained staff is important 
and to strengthen its internal controls, the Department hired a 
Contract Manager to fill a vacancy. In addition to currently trained 
staff, a Security and Compliance Program Manager was also hired 
to ensure the Department has a qualified and experienced resource 
available to assist in data security and service organization audit 
needs across the Department. Both of these roles were hired prior to 


this recommendation being issued. 


However, the Department does not agree that the problems and 
recommendations identified by the OSA in this current audit 


occurred as a result of training insufficiency. 


AUDITOR’S ADDENDUM 


The problems identitied in this and prior year findings, as mentioned in 
this finding, point to a lack of trained Department staff in the area of 


contractually specitied SOC reporting requirements. 
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INTERCHANGE SERVICE 
ORGANIZATION 
CONTROL REPORTS 


In 2017, the Health First Colorado program implemented Colorado 
interChange to replace the legacy MMIS. The Health First Colorado 
program, which is partially funded through the federal Medicaid grant, 
provides public health insurance to eligible low-income citizens. The 
Health First Colorado program and the Colorado interChange system 
are the responsibility of the Department. The fiscal agent responsible 
for performing internal controls and processing claims and payments, 
significant to the Department’s administration of the federal Medicaid 
program, is DXC Technology Services, LLC (DXC). 


DXC hosts the Colorado interChange system for the Department and 
manages IT services related to the maintenance and support of the 
system infrastructure and software. The Department’s contractual 
agreement with DXC requires that it, as a service organization for the 
Department, have an annual SOC examination performed by an 
independent service auditor. Examinations of this type are governed by 
the AICPA and result in one of various types of SOC reports. For the 
Department, DXC provides a SOC 1, Type II report, which provides an 
independent auditors’ opinion on whether the service organization’s 
internal controls over financial reporting, including those over the 
system, have been suitably designed and operated effectively over a 


specified period of time. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether the 


Department implemented our Fiscal Year 2019 Colorado interChange 


SOC Report recommendation, in which the original recommendations 
were made in Fiscal Year 2017. Specifically, we recommended that the 
Department should improve controls over its financial reporting by (a) 
working with its service organization to ensure the Colorado 
interChange SOC 1, Type II reports clearly state the system components 
and controls that are in scope, such as database change management 
and database backup and recovery controls; and (b) developing, 
documenting, implementing, and communicating a process for 
conducting reviews of the SOC 1, Type II reports to ensure that all 
appropriate database internal controls impacting financial reporting are 
identified by the service organization, tested for effectiveness, and 


opined upon by the service auditor in its SOC 1, Type II report. 


We performed our audit work through inquiry of Department staff, as 


well as inspection of supporting documentation. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


The OSC’s Manual Section 3.41, Statewide System and Organizational 
Controls Reviews, includes agency responsibilities related to the receipt 
of SOC reports. Specifically, agencies are required to annually review 
such reports and determine whether any actions are necessary to 


remediate issues noted. 


The OSC’s policy, Internal Control System, requires state agencies to 
use the Standards for Internal Control in the Federal Government 
(Green Book), published by the U.S. Government Accountability Office, 
as its framework for its system of internal control. Specifically, Green 
Book Paragraph OV4.08, Documentation Requirements, states that 
documentation is a necessary part of an effective internal control system 
and is required for the effective design, implementation, and operating 


effectiveness of an entity’s internal control system. 
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WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 


During our Fiscal Year 2020 audit work, we found that the Department 
worked with DXC to ensure that the appropriate system components 
and controls, such as database change management and database 
backup and recovery controls, were clearly identified in the SOC 1, 
Type II report. However, the Department did not develop, document, 
implement, or communicate a process to review the SOC 1, Type II 


reports annually. 


WHY DID THIS PROBLEM OCCUR? 


Department staff stated that SOC reports are reviewed when the 
Department receives them, but an annual review process has not yet 
been formally documented or implemented. The Department stated that 


it plans to document and implement the process by July 2021. 


WHY DOES THIS PROBLEM MATTER? 


Without a formalized SOC 1, Type II review process in place, the 
Department may not be aware of issues identified in the report relating 
to the controls its service organizations have designed, implemented, 
and operate over contracted services as they relate to financial reporting 
and compliance with federal regulations. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING APPLIES TO PRIOR AUDIT RECOMMENDATION 2.019-052B 
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RECOMMENDATION 
2020-014 


The Department of Health Care Policy and Financing should improve 
internal controls over financial reporting by developing, documenting, 
implementing, and communicating a process for conducting annual 
reviews of the Colorado interChange’s System and Organization 
Controls (SOC) 1, Type II reports to determine if any issues have been 


noted and whether actions are necessary to remediate these issues. 


RESPONSE 


DEPARTMENT OF HEALTH CARE 
POLICY AND FINANCING 


YWOLIGNV ALV.LS OGVUOTOO AHL JO LYOdAU 


AGREE. IMPLEMENTATION DATE: JULY 2021. 


The Department is currently documenting all processes and reports. 
Implementation of a process for conducting reviews of the SOC 1, 
Type II reports will be completed by the July 2021 due date. 
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DEPARTMENT OF 
HIGHER EDUCATION 


The Department of Higher Education was established under state 
statute [Section 24-1-114, C.R.S.] and includes all public higher 
education institutions in the state. It also includes the Auraria Higher 
Education Center; the Colorado Commission on Higher Education; the 
Colorado Student Loan Program, dba College Assist; CollegeInvest; 


History Colorado; and the Division of Private Occupational Schools. 
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State public institutions of higher education are governed by 
10 different boards. The governing boards and the schools they oversee 


are as follows: 


= BOARD OF REGENTS OF THE UNIVERSITY OF COLORADO 
University of Colorado Boulder 
University of Colorado Denver 
University of Colorado Denver | Anschutz Medical Campus 


University of Colorado Colorado Springs 


= BOARD OF GOVERNORS OF THE COLORADO STATE UNIVERSITY 
SYSTEM 
Colorado State University—Fort Collins 
Colorado State University—Pueblo 
Colorado State University-Global Campus 


= BOARD OF TRUSTEES FOR THE UNIVERSITY OF NORTHERN COLORADO 


University of Northern Colorado 


= BOARD OF TRUSTEES OF THE COLORADO SCHOOL OF MINES 
Colorado School of Mines 


= STATE BOARD FOR COMMUNITY COLLEGES AND OCCUPATIONAL 
EDUCATION 
Arapahoe Community College 


Colorado Northwestern Community College 
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Community College of Aurora 
Community College of Denver 
Front Range Community College 
Lamar Community College 
Morgan Community College 
Northeastern Junior College 
Otero Junior College 

Pikes Peak Community College 
Pueblo Community College 
Red Rocks Community College 
Trinidad State Junior College 


= BOARD OF TRUSTEES FOR ADAMS STATE UNIVERSITY 
Adams State University 


= BOARD OF TRUSTEES FOR COLORADO MESA UNIVERSITY 


Colorado Mesa University 


= BOARD OF TRUSTEES FOR METROPOLITAN STATE UNIVERSITY OF 
DENVER 
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Metropolitan State University of Denver 


= BOARD OF TRUSTEES FOR WESTERN COLORADO UNIVERSITY 


Western Colorado University 


= BOARD OF TRUSTEES FOR FORT LEWIS COLLEGE 
Fort Lewis College 


ADAMS STATE 
UNIVERSITY 


The Board of Trustees of Adams State University is the governing board 
for Adams State University (University). The Board of Trustees has 
oversight and responsibility in the areas of finance, resources, academic 


programs, admissions, role and mission, and personnel policies. 


The board consists of nine members appointed by the Governor to serve 
4-year terms. Additionally, an elected member of the faculty of the 
University serves for a 2-year term and an elected member of the student 
body of the University serves for a 1-year term. The President of the 
University is responsible for providing leadership and administering the 
policies and procedures of the Board of Trustees. The board conducts 
its business at regular monthly meetings, all of which are open to the 


public. 


The University is a liberal arts university with graduate programs in 
teacher education, business, counseling, and art. Section 23-51-101, 
C.R.S., states that the University shall be a general baccalaureate 
institution with moderately selective admission standards. The 
University is a regional educational provider approved to offer limited 
professional programs, Hispanic programs, undergraduate education 
degrees, masters level programs, Ph.D. level programs, and 2-year 
transfer programs with a community college role and mission, except 


for vocational education programs. 


Full-time equivalent (FTE) students, faculty, and staff reported by the 


University for the last 3 fiscal years were as follows: 
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Resident Students 1,647.6 1,553.9 1,482.0 
Nonresident Students 757.1 715.0 778.8 


OTAL STUDENTS Z salki 2,268.9 2,260.8 


Faculty FTE 168.8 174.1 
Staff FTE TA A 142.5 140.1 
OTAL FACULTY AND STAFF FTE 328.5 311.3 314.2) 


The following comment was prepared by the public accounting firm of 
Wall, Smith, Bateman Inc., which performed the Fiscal Year 2020 audit 
work at the University under contract with the Office of the State 
Auditor. 


ACCOUNTING 
RECONCILIATION AND 
REPORTING CONTROLS 


Adams State University’s accounting department is responsible for all 
of the University’s financial accounting and reporting, including the 
accurate and timely entry, reconciliation, and approval of financial 
transactions in the University’s accounting system and preparation of 
its financial statements. The University’s accounting department is also 
responsible for submitting additional fiscal year-end accounting 
information through exhibits to the Office of the State Controller (OSC) 


for inclusion in the State's financial statements. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to assess the adequacy and 


effectiveness of the University’s internal controls over financial and 


reporting activities, and to determine whether the University complied 
with applicable accounting standards during Fiscal Year 2020. In 
addition, we reviewed the University's progress in implementing our 
Fiscal Year 2019 audit recommendation related to improving 
accounting controls. At that time, we specifically recommended that the 
University continue to improve its internal controls over financial 
activities by ensuring it has effective supervisory review and approval 
procedures in place as well as enhancing fiscal year-end training to staff 
over the implementation and performance of internal control 


procedures. 


As part of our audit testing, we reviewed the University’s Financial 
Management Manual! (Guide) and inquired of accounting department 
staff as to the existence of internal controls related to fiscal year-end 
financial close activities. Additionally, we reviewed the University’s 
exhibits and related supporting documentation that were prepared and 
submitted to the OSC for Fiscal Year 2020 in order to determine 
whether the University staff prepared this information accurately and 


in accordance with the OSC’s Fiscal Procedures Manual (Manual). 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured our audit work against the following criteria: 


The University’s Financial Management Guide, which specifies 
procedures for administering financial processes to be designed so 
that the duties of one employee provide a crosscheck on the work of 
one or more other employees. Examples of these internal controls 
would be updated policies and procedures, including requirements 
for secondary reviews, proper segregation of duties, the maintenance 
of supporting documentation, and requirements for reconciliations 
of financial activity. In addition, the Guide aligns with the OSC State 
Fiscal Rule 1-8 (Pre-audit Responsibility for Accounting Documents 
and Financial Transactions). According to OSC’s State Fiscal Rule 


1-8, the State’s institutions of higher education “shall implement 
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internal accounting and administrative controls that reasonably 
ensure that financial transactions are accurate, reliable, and conform 


to state fiscal rules.” 


The OSC’s Manual contains specific instructions for completing 


exhibits. Specifically: 


Exhibit D, Schedule of Debt Service Requirements to Maturity, 
is used to report the institution’s principal and interest payments 
by year throughout the term of the debt. In addition, the total 
amount of the original obligation for each type of debt must be 
reported in order “to provide a frame of reference for the 
financial statement reader so that they can determine the State’s 


process in paying down its borrowing obligations.” 
Exhibit J, Financial Statement Reconciliation, is used to: 


Reconcile the institution’s financial statements to the 
institution’s trial balance recorded within the State of 


Colorado’s accounting system (CORE). 


Provide assurance to the State Controller that the 
institution’s financial statements properly accumulate CORE 
accounts in the same format the OSC uses for the State’s 


Comprehensive Annual Financial Report. 


Exhibit V1, Higher Education Cash Flow Statement - 
Supplemental! Information, is used to report information needed 
for the conversion of the statement of cash flows from the 
indirect method to the direct method and to disclose noncash 


transactions. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


Overall, we identified internal control issues related to the University’s 


fiscal year-end accounting reconciliation and reporting and determined 


that the University had not fully implemented our Fiscal Year 2019 
audit recommendation. Specifically, while our Fiscal Year 2020 audit 
work determined that the University made progress in the 
implementation of supervisory review controls and approval procedures 
related to year-end financial activity during Fiscal Year 2020, we 
determined that the additional controls were ineffective in preventing 
and/or identifying and correcting year-end reconciliation errors. 
Further, the additional internal controls did not ensure the accurate 
submission of OSC exhibits. 


As a result of our audit testwork, we identified the following issues: 


The University’s Exhibit D, Schedule of Debt Service Requirements 
to Maturity, overstated the total amount of the original obligation 
for each type of debt by $22,080,000, because it incorrectly included 


debt issues refinanced in Fiscal Year 2019. 


The University’s Exhibit J, Financial Statement Reconciliation, 
understated the University’s “net position — restricted for other 
purposes” and overstated the “net position — unrestricted” line 
items, by $1,200,000; the University’s financial statements 


contained the same errors. 


The University’s Exhibit V1, Higher Education Cash Flow 
Statement — Supplemental Information, incorrectly excluded 
$20,700,000 of agency fund receipts and corresponding 


disbursements. 


The University’s capital asset depreciation expense and accumulated 
depreciation reported on its financial statements were understated, 
and the “net investment in capital assets” was overstated by 
approximately $858,000. 


The general ledger balance for the University’s student tuition 
receivable inaccurately exceeded the detailed student ledger balance 
by approximately $123,000, and, as a result, the student tuition 
receivable and related revenue account were both overstated at fiscal 


year-end. 
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After we brought the errors to University staff’s attention, University 
staff corrected the University’s financial statements and submitted 
corrected exhibits to the OSC. 


WHY DID THESE PROBLEMS OCCUR? 


The University did not have adequate internal controls in place to 
ensure that fiscal year-end accounting and financial reporting errors 
were prevented or identified and corrected. Specifically, the University’s 
reconciliation of fiscal year-end accounts receivable, capital asset, and 
net position-related accounts along with its processes for the 
preparation, review, and approval of the fiscal year-end financial 
statements and exhibits did not prevent or identify the errors found 


during the audit. 


While the University made progress in implementing the delegation of 
reconciliation processes to allow for supervisory review and contracted 
with an independent, experienced accountant to review the exhibits 
during Fiscal Year 2020, it lacked a complete and effective overall 
review and comparison of its accounting reconciliations and exhibits to 


the financial statements presented for audit. 


WHY DO THESE PROBLEMS MATTER? 


Without adequate controls in place over financial activities, the 
University cannot ensure the accuracy and completeness of its reported 
financial information and, ultimately, the State’s financial statements. 
Performing an adequate reconciliation of accounting transactions and 
implementing an effective review of fiscal year-end reports will aid in 
reducing errors and omissions, as well as detecting and correcting 


errors. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 


THIS FINDING APPLIES TO PRIOR AUDIT RECOMMENDATIONS 2019-014A AND 
2019-014B 


RECOMMENDATION 
2020-015 


Adams State University should continue to improve its internal controls 


over financial activities by: 


A Enhancing its fiscal year-end reconciliation and exhibit preparation 
procedures to ensure the accurate preparation of financial 
statements and exhibits in accordance with the Office of the State 


Controller’s Fiscal Procedures Manual. 


B Ensuring effective overall supervisory reviews and approvals are in 
place for fiscal year-end accounting and reporting processes to 


identify and correct any errors in the financial statements. 


RESPONSE 


ADAMS STATE UNIVERSITY 
A AGREE. IMPLEMENTATION DATE: AUGUST 2021. 


The University will enhance fiscal year-end reconciliation and 
exhibit preparation procedures to ensure the accurate preparation 
of financial statements and exhibits in accordance with the Office of 
the State Controller’s fiscal procedures manual. 


B AGREE. IMPLEMENTATION DATE: AUGUST 2021. 


The University will ensure effective overall supervisory reviews and 
approvals are in place for fiscal year end accounting and reporting 
processes. 
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METROPOLITAN STATE 
UNIVERSITY OF DENVER 


Established in 1963 as Colorado’s “College of Opportunity,” 
Metropolitan State University of Denver (University or MSU Denver) is 
the third largest higher education institution in Colorado and one of the 
largest public 4-year universities in the United States. With a modified 
open-enrollment policy, students who are at least 20 years old need only 
have a high school diploma, a general educational development (GED) 


high school equivalency certificate, or the equivalent to gain admission. 


The University is governed by the Board of Trustees, an 11-member 
board consisting of nine voting members appointed by the Governor of 
Colorado with the consent of the Senate, and a faculty and a student 


representative, both of whom are non-voting. 


The University offers 96 major fields of study and 94 minors, 
28 certificates, and 40 licensure programs through its College of 
Business; School of Education; School of Hospitality; College of Letters, 
Arts and Sciences; and College of Professional Studies. Degrees include 
Bachelor of Science, Bachelor of Arts, Bachelor of Fine Arts, Bachelor 
of Music, Bachelor of Music Education, and eight Master’s majors and 
nine Master’s certificates. Academic bachelor programs range from the 
traditional, such as English, art, history, biology, and psychology, to 
business-related degrees in computer information systems, accounting, 
and marketing; and professional directed programs in nursing, 
healthcare management, criminal justice, pre-medicine, pre-law, and 
pre-veterinary science. The Master’s major programs include art in 
teaching, social work, professional accountancy, health administration, 
business administration, cybersecurity, Clinical Behavioral Health, and 


Human Nutrition and Dietetics. 


Enrollment and faculty and staff information is provided below. Full- 
time equivalent (FTE) students reported by the University for the last 


3 fiscal years are as follows: 


Resident Students 43 14,570 ` 


ETH Students 53 : 52 1 
ae FTE ae soe 
Staff FTE JE 533 544 


TOTAL FACULTY AND STAFF FTE 1,369 1,369 


The following comment was prepared by the public accounting firm of 
Plante & Moran, PLLC, which performed the Fiscal Year 2020 audit 
work at the University under contract with the Office of the State 
Auditor. 


INCORRECT RECORDING 
OF ASSET AND LIABILITY 
TRANSFER 


On August 17, 2010, the University’s Board of Trustees approved the 
incorporation of a special-purpose, not-for-profit corporation known 
as HLC@Metro, Inc. (HLC@Metro) with the intention that 
HLC@Metro would own the Hotel and Hospitality Learning Center 
(HLC), and related assets, including a hotel located on the University’s 
campus. After the hotel was built, HLC@Metro established an 
agreement with Sage Hospitality to manage the hotel and established a 


franchise agreement with Marriott to market the hotel. 


Due to the nature and significance of HLC@Metro’s relationship with 
the University, in accordance with Governmental Accounting Standards 
Board (GASB) Statement No. 14, The Financial Reporting Entity, as 
amended by GASB Statement No. 61, the Financial Reporting Entity: 
Omnibus, and GASB Statement No. 39, Determining Whether Certain 
Organizations Are Component Units, HLC@Metro, Inc is considered to 
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be a discretely presented component unit of the University; therefore, 
the University reports HLC@Metro’s financial statements in a separate 


column on the face of the University’s financial statements. 


During Fiscal Year 2020, the University entered into an agreement with 
HLC@Metro under which the University effectively purchased and 
transferred most of HLC@Metro’s assets and liabilities to the University 
as of June 30, 2020. The agreement and resulting transfer of assets and 
liabilities occurred in order to allow the hotel to potentially be used as 
additional COVID-19 hospital capacity for the State of Colorado, since 
HLC@Metro’s existing bond covenants did not allow for the 
unconventional use of the hotel space. More specifically, in an effort to 
make the hotel available to the City and County of Denver and the 
surrounding communities as possible hospital patient overflow, a 
complex set of transactions were executed to alleviate use restrictions 
on the hotel, which resulted in the University acquiring the hotel. Prior 
to the acquisition, the HLC@Metro Series 2010 bonds, which were used 
to construct the hotel, only allowed the space to be use as a hotel and 
not as a care facility. In order to release the use restriction on the hotel, 
HLC@Metro’s Series 2010 bonds needed to be paid off (or defeased). 


In April 2020, the University issued Series 2020 bonds, the proceeds of 
which were used by the University to fund the purchase of most of the 
assets and liabilities of HLC@Metro, including the hotel. In turn, 
HLC@Metro used the proceeds from the sale of its assets to pay off its 
existing Series 2010 bonds, which allowed the University to move 
forward with potentially using the hotel as a care facility. As part of the 
bond issuance, the University began steps to enter into an interest rate 


> 


swap agreement in order to protect, or “hedge,” against the potential 
increase of interest rates. This interest rate swap agreement was 


executed on September 30, 2020. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to test recorded journal entries 
related to the transfer of assets and liabilities from HLC@Metro to the 


University, including entries related to its interest rate swap agreement. 


Overall, we performed testing to determine whether the University 
appropriately recorded the activities related to the transfer of assets and 
liabilities in its accounting records. Specific testing we performed 
included the following: 


Review of underlying agreements related to the asset transfers. 


Review of support for the amount of the transferred assets. 


Requested information related to the interest rate swap, including a 
report obtained by management from an external specialist that 
concluded on the effectiveness of the interest rate as of June 30, 
2020. Effectiveness refers to the extent that the changes in the fair 
value of the interest rate swap offset the changes in value of the 
interest rate. The resulting accounting treatment for the recognition 
of the interest rate swap is determined based on the conclusion about 
effectiveness. 


Summary of management’s accounting considerations and 


conclusions and related journal entries recorded. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


Governmental accounting standards contained within Governmental 
Accounting Standards Board (GASB) Statement 69, Government 
Combinations and Disposals of Government Operations, (GASB 69) 
addresses requirements for recording activities related to asset and 
liability transfers. Specifically, paragraph 43 of GASB 69, states that 
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“the acquiring government should recognize the assets, deferred 
outflows of resources, liabilities, and deferred inflows of resources at 
the carrying values of the selling entity.” GASB Statement 56, 
Codification of Accounting and Financial Reporting Guidance 
Contained in the AICPA Statements on Auditing Standards, (GASB 56), 
also addresses related party transactions. Specifically, paragraph 4 
discusses the requirement to “recognize the substance of the transaction 
rather than merely its legal form” with respect to related party 
transactions. Finally, GASB Statement 53, Accounting and Financial 
Reporting for Derivative Instruments, (GASB 53) addresses the 
requirements for accounting for “hedge” instruments, such as interest 


rate swaps. 


WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 


Based on our testing, we determined that the University overstated in 
its financial statements the value of the capital assets transferred to it 
from HLC@Metro by approximately $8.3 million and understated the 
liability and related deferred outflow of resources related to the interest 
rate swap by approximately $11.5 million. Further, the University 
originally incorrectly recorded the liability and deferred outflow of 
resources related to the interest rate swap on HLC@Metro’s Statement 
of Net Position within the University’s financial statements instead of 


on the University’s Statement of Net Position. 


WHY DID THIS PROBLEM OCCUR? 


This problem occurred because the University did not have sufficient 
internal controls in place to ensure that it executed its existing policies 
and procedures related to unusual and significant accounting 
transactions. Specifically, although the University has procedures in 
place for researching applicable accounting guidance for unusual and 
significant accounting transactions, it did not sufficiently allocate staff 
to research and appropriately apply guidance specific to government 


acquisition of assets within the same financial reporting entity, as 
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outlined in GASB 69 and GASB 56. As a result, the University’s internal 
controls failed to ensure that its evaluation of the transfer of liabilities 


was complete, and included the impact of the interest rate swap liability. 


WHY DOES THIS PROBLEM MATTER? 


Without proper application of relevant accounting guidance, amounts 
recorded on the University’s financial statements were materially 
overstated. Additionally, the incomplete analysis related to the interest 


rate swap liability led to the related balances initially being reported on 
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the wrong reporting unit, which would have resulted in liabilities and 
deferred outflow of resources on the University’s financial statements 
being materially understated, with an offsetting overstatement on the 


discretely presented component unit’s financial statements. 


CLASSIFICATION OF FINDING MATERIAL WEAKNESS 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-016 


Metropolitan State University of Denver should improve its internal 
controls over unusual and significant accounting transactions by fully 
executing its existing policies and procedures, including allocating the 
appropriate level of resources to research and implement required 
accounting procedures, while ensuring that all related transactions are 


correctly recorded and reported. 
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RESPONSE 


METROPOLITAN STATE UNIVERSITY 
OF DENVER 


AGREE. IMPLEMENTATION DATE: FEBRUARY 2021. 


The complex nature of the acquisition of the HLC@Metro Inc., coupled 
with its expedient execution in the last quarter of the fiscal year, a 
remote work environment with substantial staff changes and position 
vacancies, combined with agreements and contracts not being finalized 
until several months after year end, lead to the errors noted above. In 
order to ensure existing controls are executed MSU Denver has 
implemented a procedure to document any unusual and significant 
accounting transactions that will include how the transactions were 
recorded with supporting relevant accounting guidance. Should an 
accounting transaction meet the definition of both unusual (not having 
occurred within the last 7 years) and significant (exceeding $5 million) 
this documentation will not only be prepared but will be shared with 
the Chief Financial Officer (CFO) before the draft financials are shared 


with the auditors. 


UNIVERSITY OF 
COLORADO 


The University of Colorado (University) was established on November 
7, 1861, by an Act of the Territorial Government. Upon the admission 
of Colorado into the Union in 1876, the University was declared an 
institution of the State and the Board of Regents was established under 


the State Constitution as its governing authority. 
The University consists of the system office and the following campuses: 


University of Colorado Boulder 
University of Colorado Denver 
University of Colorado Denver | Anschutz Medical Campus 


University of Colorado Colorado Springs 


The campuses comprise 26 schools and colleges, which offer 178 
programs of study at the undergraduate level and 284 at the graduate 
level, offering 377 bachelor and master’s degrees, along with 110 


doctorates. 


The Board of Regents is charged constitutionally with the general 
supervision of the University and the exclusive control and direction of 
all funds of and appropriations to the University, unless otherwise 
provided by law. The Board of Regents consists of nine members serving 
staggered 6-year terms, one elected from each of the State’s seven 


congressional districts and two elected from the State at large. 


The Board of Regents appoints the President of the University. The 
President is the chief executive officer of the University. The President 
is responsible for the administration of the University, and for 
compliance of all University matters with applicable regent laws and 
policies, as well as state and federal constitutions, laws, and regulations. 
The President is the chief academic officer of the University, responsible 


for providing academic leadership in meeting the needs of the State, and 
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shall maintain and advance the academic policies of the University. The 
President is also the chief spokesperson for the University, interpreter of 
University policy, and represents and interprets the roles, goals, and 
needs of the University throughout the State and elsewhere, as 
appropriate. The Chancellors are the chief academic and administrative 
officers at the campus level, responsible to the President for the conduct 
of the affairs of their respective campuses in accordance with the 


policies of the Board of Regents. 


Full-time equivalent (FTE) students, faculty, and staff reported by the 


University for the last 3 fiscal years were as follows: 


Resident Students 41,259 41,817 41,845 
Nonresident Students 1%, 054 17,742 17,904 


TOTAL STUDENTS 59,559 59,749 


Faculty FTE 6,986 7,246 
Staff FTE zs E 14,495 14,911 
TOTAL FACULTY AND STAFF FTE 20,623 21,481 DAST 


The following comments were prepared by the public accounting firm 
of BKD, LLP, which performed the Fiscal Year 2020 audit work at the 
University under contract with the Office of the State Auditor. 


VENDOR MANAGEMENT 
AND DATA CENTER 
PHYSICAL SECURITY 


Government Auditing Standards allow for information that 1s 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 


could be caused by the misuse of this information. We consider the 


specitic technical details of this finding, along with the response, to be 
sensitive in nature and not appropriate for public disclosure. Therefore, 
the details of the tollowing tinding and response have been provided to 


the University in a separate, confidential memorandum. 


The University of Colorado’s (University) University Information 
Services (UIS) department provides tools and applications that support 
university-wide business and academic applications. These include the 
core service lines and common business operations tools used by faculty 
and staff across all campuses. UIS also supports the computers, phones, 


networks and software used by the Office of the President. 


The University’s primary financial system is PeopleSoft and is housed 


at a co-location data center that is overseen by a service organization. 


In lieu of each user entity performing a separate vendor assessment to 
obtain assurances on the service organization’s internal control 
environment, service organizations may engage a service auditor to 
perform an examination and issue an opinion on the service 
organization’s design of controls at a point in time, or the design and 
operating effectiveness of controls over a period of time. These 
examinations are referred to as System and Organization Control (SOC) 
examinations, in which service organizations can then provide user 
entities with the resulting SOC report to provide them with assurances 


on the controls they managed and operate. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to review and determine whether 
vendor management and physical security controls related to the co- 
location data center housing the PeopleSoft application and its 
supporting infrastructure were designed, in place, and operating 


effectively during the audit period. 
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We interviewed relevant UIS staff, reviewed University policies and 
procedures and industry leading IT practices, and performed walk- 
throughs of the significant IT process areas to identify key controls 


within each respective process area. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against UIS’ Vendor 
Management procedure, National Institute of Standards and 
Technology (NIST) Special Publication 800-53 Revision 4, and the U.S. 
Government Accountability Office’s Standards for Internal Control in 


the Federal Government (Green Book). 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


During our testing we noted deficiencies within the UIS vendor 
management process, including UIS’ approach to gain assurance over 


the service organization’s data center physical security controls. 
WHY DID THESE PROBLEMS OCCUR? 


UIS management did not have a process in place to obtain, review, and 
conclude on their service organization’s SOC reports or perform an 
independent assessment and conclude on its service organization’s 
controls. In addition, neither of the contractual agreements the 
University has with the service organization specifies a SOC report 
deliverable on a regular interval, even though the service organization 
does have an annual SOC examination performed and a report 


available. 


UIS management did not have a formalized process in place to perform 
certain physical access IT controls, related to the co-location data 


center. 
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WHY DO THESE PROBLEMS MATTER? 


Without the appropriate independent review of service providers 
through SOC reports for the current reporting period, management may 
not be alerted to situations that may indicate that their service providers 
are not complying with contractual requirements or industry-leading 


practices. 


The lack of a process in place, related to the co-location data center, 


could result in disclosure of sensitive information, system 


YOLIGAV ALV.LS OGVUOTOO AHL AO LYOdAU 


malfunctioning/unavailability, or damage to systems and/or data 


housed in the data center. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-017 


The University of Colorado should improve vendor management and 


data center physical security controls by: 


A Mitigating the problems identified in PART A of the confidential 
finding. 


iss) 


Mitigating the problems identified in PART B of the confidential 
finding. 


O 


Mitigating the problems identified in PART C of the confidential 
finding. 
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RESPONSE 


UNIVERSITY OF COLORADO 
A AGREE. IMPLEMENTATION DATE: DECEMBER 2020. 


Management will work to mitigate the problems identified in PART 
A of the confidential finding. Please see the confidential finding for 
additional details. 


B AGREE. IMPLEMENTATION DATE: APRIL 2021. 


Management will work to mitigate the problems identified in PART 
B of the confidential finding. Please see the confidential finding for 
additional details. 


C AGREE. IMPLEMENTATION DATE: OCTOBER 2020. 


Management will work to mitigate the problems identified in 
PART C of the confidential finding. Please see the confidential finding 


for additional details. 


PEOPLESOFT— 
INFORMATION SECURITY 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this tinding, along with the response, to be 
sensitive in nature and not appropriate for public disclosure. Therefore, 
the details of the following finding and response have been provided to 


the University in a separate, contidential memorandum. 


The University Information Services (UIS) unit is responsible for the 
access management for to a variety of enterprise-wide applications and 


systems, including PeopleSoft. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether UIS had 
access management IT general controls designed, in place, and 


operating effectively for PeopleSoft during Fiscal Year 2020. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


The results of our audit work were measured against the University’s IT 


procedures and standards. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


We noted problems related to UIS’s access management process for 
PeopleSoft. 


WHY DID THESE PROBLEMS OCCUR? 


These problems occurred because UIS did not enforce the University’s 
procedures and standards. Due to reprioritization of work-effort to deal 
with COVID-19 demands, certain access management processes were 


postponed. 
WHY DO THESE PROBLEMS MATTER? 


Without adequate access management controls in place to ensure the 
confidentiality and integrity of the data in the PeopleSoft system, the 


University is risking that financially significant information, including 
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that of personally identified information, may be disclosed to 
individuals who are not authorized to view this information, or who are 


able to make unauthorized changes to system data. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-018 


The University of Colorado’s University Information Services unit 
should improve PeopleSoft access management controls and ensure 


compliance with University IT procedures and standards by: 


A Mitigating the problems identified in PART A of the confidential 
finding. 


B Mitigating the problems identified in PART B of the confidential 
finding. 


RESPONSE 


UNIVERSITY OF COLORADO 


STATE OF COLORADO STATEWIDE FINANCIAL AUDIT - FISCAL YEAR ENDED JUNE 30, 2020 


A AGREE. IMPLEMENTATION DATE: NOVEMBER 2020. 


Management will work to mitigate the problems identified in PART 
A of the confidential finding. Please see the confidential finding for 
additional details. 


B AGREE. IMPLEMENTATION DATE: DECEMBER 2.020. 


Management will work to mitigate the problems identified in PART 
B of the confidential finding. Please see the confidential finding for 
additional details. 


PEOPLESOFT—CHANGE 
MANAGEMENT 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this tinding, along with the response, to be 
sensitive in nature and not appropriate for public disclosure. Therefore, 
the details of the tollowing tinding and response have been provided to 


the University in a separate, contidential memorandum. 


IT change management processes are designed to ensure the efficient 
and prompt handling of all changes to IT infrastructure through the use 


of standardized methods and procedures. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether UIS had IT 
change management internal controls in place and operating effectively 
relating to system changes within PeopleSoft. We interviewed UIS staff 
and reviewed documentation provided by staff to determine compliance 


with the University’s change management process. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against the University’s 
change management process, National Institute of Standards and 
Technology (NIST) Special Publication 800-53 Revision 4, and the 


United States Government Accountability General Accounting Office 
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Standards for Internal Control in the Federal Government (“Green 
Book”). 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY AND HOW WERE THE 
RESULTS OF THE AUDIT WORK 
MEASURED? 


During our testing, we noted problems within UIS’s process for 


managing the change management process for PeopleSoft. 
WHY DID THESE PROBLEMS OCCUR? 


These problems occurred because the current process lacks specific 
requirements to retain documentation and UIS management does not 


have formalized segregation of duties policies. 
WHY DO THESE PROBLEMS MATTER? 


A lack of formal policies, procedures, or processes in place, related to 
change management can result in damage or loss of data, inaccurate 


financial reports, and/or malfunctioning systems. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 


THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-019 


The University of Colorado should improve PeopleSoft change 


management controls by: 


A Mitigating the problems identified in PART A of the confidential 
finding. 
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B Mitigating the problems identified in PART B of the confidential 
finding. 


RESPONSE 


UNIVERSITY OF COLORADO 
A AGREE. IMPLEMENTATION DATE: DECEMBER 2020. 


Management will work to mitigate the problems identified in PART 
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A of the confidential finding. Please see the confidential finding for 
additional details. 


B AGREE. IMPLEMENTATION DATE: DECEMBER 2.020. 


Management will work to mitigate the problems identified in PART 
B of the confidential finding. Please see the confidential finding for 
additional details. 
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WESTERN COLORADO 
UNIVERSITY 


Western Colorado University (University) is a liberal arts university in 
Gunnison, Colorado, with graduate programs in teacher education, 
business, counseling, and art. Section 23-56-101, C.R.S., states that the 
University shall be a general baccalaureate institution with selective 
admission standards. The University is a regional educational provider 
approved to offer professional degree programs, undergraduate sciences 


degrees, and developmental education courses. 


The Board of Trustees is the governing board for the University. The 
Board of Trustees has oversight and responsibility in the areas of 
finance, resources, academic programs, admissions, role and mission, 


and personnel policies. 


The board consists of nine members appointed by the Governor to serve 
4-year terms. Additionally, an elected member of the faculty serves for 
a 2-year term and an elected member of the student body serves for a 1- 
year term. The University President is responsible for providing 
leadership and administering the policies and procedures of the Board 
of Trustees. The board conducts its business at regular monthly 
meetings, all of which are open to the public. Full-time equivalent (FTE) 
students, faculty, and staff reported by the University for the last 3 fiscal 


years were as follows: 


Resident Students 1,528.2 1,524.1 1,593.4 
Nonresident Students 590.9 646.0 599.0 


TOTAL STUDENTS 21191 2,170.1 2,192.4 


Faculty FTE 156.9 160.6 155.9 
Staff FTE 203.5 211.5 217.8 
TOTAL FACULTY AND STAFF FTE 360.4 Sl IMM 
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The following comment was prepared by the public accounting firm of 
Dalby, Wendland & Co., P.C., which performed the Fiscal Year 2020 
audit work at the University under contract with the Office of the State 
Auditor. 


TIMELY BANK ACCOUNT 
RECONCILIATIONS 


Western Colorado University’s (University) accounting department is 
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responsible for all of the University’s financial accounting and 
reporting, including the accurate and timely reconciliation and review 
of bank statements. This requires the University to properly implement 
adequate internal controls over its cash receipts and disbursements 


process, including a strong bank reconciliation process. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to assess the design and effectiveness 
of the University’s internal controls over cash receipts and 
disbursements. As part of these audit procedures, we performed testing 
to determine whether monthly bank statement reconciliations were 


prepared and reviewed in a timely manner. 


We reviewed a sample of 40 of 48 bank statements the University 
received for its four bank accounts during Fiscal Year 2020—10 from 
each account—and inspected the University’s related documentation to 
determine if bank reconciliations were prepared and reviewed in a 


timely manner during the year. 
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HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


Bank account reconciliation is a key component of internal controls 
over cash. As stated in the University’s Internal Control procedure 
memo, Division of Duties (last updated April 2020), the Asset 
Accountant should reconcile the revenue, clearing, accounts payable, 
and payroll bank account balances reported within its accounting 
software to the monthly bank statements for those accounts and these 
should be reviewed by the controller. This should be done in a timely 


manner to ensure that: 
All receipts and disbursements are recorded. 
Disbursements are clearing the bank in a reasonable time frame. 


Bank account statements are reviewed timely and reconciled to the 
University’s accounting records. 


Reconciling items are appropriate and are being recorded. 


The reconciled cash balance agrees to the general ledger cash 
balance. 


The bank reconciliation preparation and review should occur shortly 
after each month end to identify errors or potential fraud in a timely 


manner. 


WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 


As a result of our audit testwork, we found that bank account 
reconciliations were not completed for any of the University’s four bank 
accounts for the months of January through May 2020 until July 2020. 
The five months of activity in the four accounts included a total of 
$82.3 million deposits and a total of $82.2 million withdrawals. 
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WHY DID THIS PROBLEM OCCUR? 


The University had a vacancy in its controller position within its 
accounting department from January through May 2020, but the 
University did not have a policy in place that specified an individual to 
serve as the backup reviewer for bank reconciliations in the event the 
controller was not available. Further, the University’s bank 
reconciliation policy did not specify timeframe requirements for the 
completion and review of bank account reconciliations. As a result, the 


University’s Asset Accountant did not prepare the bank reconciliations 
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for the 5-month period, and a supervisor did not identify the issue until 


the University hired a new controller in June 2020. 


WHY DOES THIS PROBLEM MATTER? 


By failing to perform and review bank reconciliations in a timely 
manner, the University increases its risk that misstatements related to 
cash transactions, whether due to errors or fraud, will occur and not be 
identified and addressed timely. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-020 


Western Colorado University should improve its internal controls over 


cash accounts by: 


A Establishing a procedure that specifies a required timeframe for 
preparation and supervisory review of bank account reconciliations. 


B Assigning back-up responsibility for preparation of bank account 
reconciliations in the event of staffing vacancies. 
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RESPONSE 


WESTERN COLORADO UNIVERSITY 


AGREE. IMPLEMENTATION DATE: JULY 2020. 


We have implemented procedures to complete all bank reconciliations 
within five business days of the end of the month. The reconciliation 
will be signed off on by the Controller and the Asset Accountant 
preparing the bank reconciliation. The reconciling items will be 
researched by the appropriate departments (payroll, accounts payable, 
etc.) on a timely basis and if we do not know the status of the reconciling 
items they will be documented. This was implemented in July 2020. 


STATE OF COLORADO STATEWIDE FINANCIAL AUDIT - FISCAL YEAR ENDED JUNE 30, 2020 


DEPARTMENT OF 
HUMAN SERVICES 


The Department of Human Services (Department) is solely responsible, 
according to statute [Section 26-1-111 (1), C.R.S.], for administering, 
managing, and overseeing the delivery of the State’s public assistance 
and welfare programs throughout Colorado. Most of these programs 
are administered through local county departments of human/social 
services. The Department also manages and directly administers 
programs in the areas of developmental disabilities, mental health, 


nursing homes, and youth corrections. 


For Fiscal Year 2020, the Department was appropriated approximately 
$2.4 billion and 5,135 full-time equivalent (FTE) staff. 


The following charts show the appropriations by funding source and 
FTE staff by major areas, respectively, within the Department for Fiscal 
Year 2020. 


DEPARTMENT OF HUMAN SERVICES 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 


CASH FUNDS 
$445.9 


FEDERAL FUNDS 
$673.5 


enone ww 
FUNDS 


$211.2 GENERAL FUNDS 


$1,028.0 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 
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DEPARTMENT OF HUMAN SERVICES 
FISCAL YEAR 2020 FULL-TIME EQUIVALENT STAFF 
BY MAJOR AREAS 


DIVISION OF 
YOUTH 
SERVICES 
1,216 


OFFICE OF 


BEHAVIORAL 
HEALTH 
1,426 


OFFICE OF 
OPERATIONS 
424 SERVICES FOR 
OTHER PEOPLE WITH 
397 DISABILITIES 


OFFICE OF SELE—~ 1,415 


SUFFICIENCY 
257 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


COLORADO PERSONNEL 
PAYROLL SYSTEM— 
INFORMATION SECURITY 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specitic technical details of this finding, along with the response, to be 
sensitive in nature and not appropriate tor public disclosure. Therefore, 
the details of the following tinding and response have been provided to 


the Department in a separate, contidential memorandum. 


The Department has about 5,100 active employees and, of those, 
104 employees in their Human Resources and Payroll units currently 
have access to the Colorado Personnel Payroll System (CPPS), the 
State’s payroll system. The Office of the State Controller (OSC), within 


the Department of Personnel & Administration, is the functional 
business owner of this system. The OSC requires agencies using CPPS, 
including the Department, to perform account management processes 


for agency CPPS users. 


These account management processes are part of the required quarterly 
reporting to the OSC’s Financial Services Unit. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether the 
Department performed CPPS account management processes 


effectively. 


HOW WERE THE RESULTS OF THE AUDIT 
WORK MEASURED? 


We measured the results of our audit work against the OSC’s CPPS 
security administration requirements and responsibilities. 


WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 


The Department did not provide any evidence that staff performed the 
required CPPS account management processes during Fiscal Year 2020. 


WHY DID THIS PROBLEM OCCUR? 


The Department reported that a new requirement from the OSC went 
into effect during the third quarter of Fiscal Year 2020, and the 
Department did not have procedures developed for it until after the end 
of the fiscal year. Staff were focused on COVID-19 responses during 
this time and did not assign the necessary personnel to perform the 


account management processes. 
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WHY DOES THIS PROBLEM MATTER? 


The Department is responsible for the information contained in CPPS 
for its agencies. By not performing CPPS account management 
processes, the reliability and security of data stored and reported in 
CPPS could be impacted. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
‘THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-021 


The Department of Human Services should improve IT controls and 
safeguard information contained in the Colorado Personnel Payroll 
System by mitigating the information security problem identified in the 


confidential recommendation. 


RESPONSE 


DEPARTMENT OF HUMAN SERVICES 
AGREE. IMPLEMENTATION DATE: SEPTEMBER 2020. 


The Colorado Department of Human Services has improved CPPS 
controls by mitigating the problems identified in the confidential 


finding. 
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DEPARTMENT OF HUMAN 
SERVICES 


The following recommendation relating to an internal control 
deficiency classified as a SIGNIFICANT DEFICIENCY was communicated 
to the Department of Human Services (Department) in the previous 
year, and has not been remediated as of June 30, 2020, because the 
original implementation dates provided by the Department are in a 
subsequent fiscal year. These recommendations can be found in the 
original report and SECTION III: PRIOR FINANCIAL RECOMMENDATIONS 


YO.LIGNV ALVLS OGVUOTOO AHL AO LYOdAa 


of this report. 


A Jury 2020 
CURRENT REC. NO. 2020-022 PRIOR REC. NO. 2019-023 IMPLEMENTATION DATE B JuLy 2020 

C JULY 2020 
CLASSIFICATION SIGNIFICANT DEFICIENCY 


DEPARTMENT OF LABOR 
AND EMPLOYMENT 


The Department of Labor and Employment (Department) is responsible 
for ensuring compliance with regulations, performing safety 
inspections, and the administration of various programs. The principal 
programs the Department administers are Colorado’s Unemployment 
Insurance Program, Colorado’s Workers’ Compensation program, 
workforce development programs, and the Vocational Rehabilitation 


Programs. 


For Fiscal Year 2020, the Department was appropriated approximately 
$272.0 million and 1,293 full-time equivalent (FTE) staff. 


The following charts show the appropriations by funding source and 
FTE staff by major areas, respectively, within the Department for Fiscal 
Year 2020. 


DEPARTMENT OF LABOR AND EMPLOYMENT 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 


CASH FUNDS 
$82.6 


FEDERAL FUNDS 
$153.8 


GENERAL FUNDS 
$25.5 


L REAPPROPRIATED 
FUNDS 
$10.1 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 
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DEPARTMENT OF LABOR AND EMPLOYMENT 
FISCAL YEAR 2020 FULL-TIME EQUIVALENT STAFF 


BY MAJOR AREAS 
OTHER 
131 DIVISION OF 
UNEMPLOYMENT 
DIVISION OF INSURANCE 
VOCATIONAL 484 
REHABILITATION 


237 


EXECUTIVE 
DIRECTOR'S OFFICE 
111 


DIVISION OF DIVISION OF 


2 WORKERS EMPLOYMENT 
OMPENSATION AND TRAINING 


111 219 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


The following comments were prepared by the public accounting firm 
of BDO USA, LLP, which performed the Fiscal Year 2020 audit work 
at the Department under contract with the Office of the State Auditor. 


UNEMPLOYMENT 
INSURANCE FINANCIAL 
REPORTING 


The Department’s Division of Unemployment Insurance is responsible 
for the administration and monitoring of Colorado's unemployment 
insurance programs, including the collection of unemployment 
premiums from employers, the payment of unemployment insurance 
benefits to claimants, and conducting audits and investigations of 
premiums and benefits to ensure they are properly paid. The 
Department’s Accounting Section is responsible for all of the 
Department’s financial reporting, including the accurate and timely entry 
and approval of financial transactions into the Colorado Operations 


and Resource Engine (CORE), the State’s accounting system. 


On March 13, 2020, the President of the United States issued the 
Proclamation on Declaring a National Emergency Concerning the 
Novel Coronavirus Disease (COVID-19) Outbreak and Congress 
subsequently passed the Emergency Unemployment Insurance 
Stabilization and Access Act of 2020 (EUISAA) and the Coronavirus 
Aid, Relief, and Economic Security Act (CARES). Both EUISAA and 
CARES included additional federal funding for and eased restrictions 
on all states’ unemployment compensation programs. For example, 
CARES established the Pandemic Unemployment Assistance (PUA) 
program for individuals not eligible for regular Unemployment 
Insurance (UI), which includes self-employed individuals, gig workers, 
and other independent contractors. 


Also in March 2020, the Governor declared a state of emergency 
relating to COVID-19 and issued Executive Order 2020-12 to expedite 
UI benefits claim processing and distribution of payments. To 
accomplish the directive, the Executive Order suspended various 
statutory provisions that previously required the Department to wait a 
specified number of days before paying a claim. 


The Department reviews, or adjudicates, claims to ensure that claimants 
are eligible and entitled to receive UI benefits. As part of the 
adjudication process, wage checks for claimants, other than the new 
PUA claims, are compared to employer reported wages submitted to the 
Department on a quarterly basis and the Department sends a 
notification to the last employer to determine the validity and reason 
for the claimant leaving the workplace. In addition, the Department 
reviews to identify potential issues with a claimant’s ability and 
availability to work and to ensure that the claimant is actively looking 
for work. If information provided by an interested party relating to the 
reason for leaving the workforce does not agree to the claimant 
information, the Department follows up on the information and issues 
eligibility determinations, as appropriate. Prior to the Governor’s Order 
going into effect, the Department adjudicated claims prior to payment, 
which the Department indicated was generally a 4- to 6-week process. 
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For PUA claims, claimants self-attest eligibility to receive benefits under 
the program, but must provide documentation to support wages since 
the claimant’s benefit payment amount is calculated based on the 
claimant’s wages. As these individuals are not eligible to receive 
payments under the regular UI Program, a comparison cannot be 
completed automatically between the claimant-reported amount and 
the employer-reported amount of wages submitted to the Department. 
Department staff indicated that if a claimant does not provide 
documentation to support wages, or provides incomplete 
documentation, the claimant can still receive the minimum amount that 


is eligible under the program. 


During Fiscal Year 2020, due to the COVID-19 pandemic, the 
Department experienced a 1,500 percent increase in UI benefits paid 
compared to Fiscal Year 2019. The Department reported it paid over 
$4.2 billion in UI benefit payments during Fiscal Year 2020. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to determine whether the 
Department had adequate internal controls in place during Fiscal Year 
2020 over adjudicating claims and processing of UI benefit payments, 
and whether it recorded the UI financial transactions accurately in 
CORE. 


As part of our testing procedures, we requested the detail of UI benefit 
payments processed by the Department from March to June 2020—the 
time period during which additional UI payments were issued as a result 
of the COVID-19 pandemic. We interviewed Department personnel 
related to the processing of UI payments, as well as the impacts on UI 
as a result of the pandemic. We requested support for amounts paid 
after fiscal year end that were related to claims incurred prior to June 
30, 2020, as well as support for overpayments identified by the 


Department after fiscal year end that related to benefits paid prior to 
June 30, 2020. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit against the following: 


Governmental Accounting Standards Board Statement No. 62, 
Codification of Accounting and Financial Reporting Guidance 
Contained in Pre-November 30, 1989 FASB and AICPA 
Pronouncements, as amended, states that “Preparing financial 
statements requires estimating the effects of future events. Examples 
of items for which estimates are necessary are uncollectible 
receivables.... Future events and their effects cannot be perceived 
with certainty; estimating, therefore, requires the exercise of 
judgment. Therefore, accounting estimates change as new events 
occur, as more experience is acquired, or as additional information 


is obtained.” 


The Office of the State Controller’s (OSC) Fiscal Procedures Manual 
(Manual) 3.1, Preparing Accounting Estimates, states that 
departments should review their current accounting estimation 
procedures to ensure they are consistent with OSC guidance. The 
revenue and expenditure accrual estimation methodologies must be 
documented, so the process and source data may be used from year 
to year to achieve consistency and improve the estimation 
methodology. An inaccurate estimate may indicate the need to 
research variances and use a different methodology to produce a 


more accurate estimate. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


During our Fiscal Year 2020 audit, we identified several significant 


problems with the Department’s accounting related to UI benefit 
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payments. Specifically, we found that the Department failed to consider 
the impact of a 1,500 percent increase in UI claims during Fiscal Year 
2020 resulting from the COVID-19 pandemic when performing its 
fiscal year-end accounting processes and recording accounting activity. 
As a result, the Department’s accounting records were significantly 
understated as of the time of our audit. After we inquired about the 
accounting omissions, Department staff submitted three transactions 
totaling approximately $2.1 billion to the OSC to record and adjust 
liabilities, receivables, federal revenue, and expenditures related to UI 


benefit payments in the Unemployment Insurance Fund. 


The specific issues that we found are as follows: 


FAILURE TO RECORD A PAYABLE FOR FISCAL YEAR 2020 CLAIMS DUE 
AS OF JUNE 30, 2020, BUT PAID AFTER YEAR END. The Department 
failed to calculate and record an accounts payable amount for UI 
claims that were due to individuals as of June 30, 2020, but had not 
been paid. When we brought this to the Department’s attention, the 
Department recorded an estimated liability and related expenditures 
owed to claimants of $597.3 million, and a federal receivable and 
federal revenue of $444.0 million. Department staff indicated that 
this estimate was based on payments made from the period of July 
1 through July 18, 2020; however, the Department did not provide 
evidence that this period covered the accurate time frame for 
recording the estimate. Therefore, the reasonableness of this 


estimate could not be established. 


FAILURE TO RECORD RECEIVABLES AND PAYABLES FOR 
UNADJUDICATED CLAIMS. The Department did not record an 
estimated accounts receivable from claimants or related accounts 
payable to the federal government for erroneous and/or fraudulent 
claims paid prior to June 30, 2020, which had not been adjudicated. 
When we brought this to the Department’s attention, the 
Department recorded an estimated overpayment receivable of 
$359.5 million and federal payable of $215.3 million. The 


Department calculated the estimate using a prior year UI 


overpayment average across all states of 10.2 percent of claims paid. 
It was unclear if the prior year average reflected a similar 
overpayment percentage or if the estimate was otherwise 
appropriate due to the Department’s lack of research related to the 


outstanding claims. 


FAILURE TO RECORD ACTIVITY RELATED TO UNCOLLECTED 
OVERPAYMENTS. In October 2020, the Department identified an 
error in the form used by applicants to apply for PUA claims and 
estimated that the error resulted in $52.1 million in overpayments 
to 11,445 claimants during Fiscal Year 2020. Although the 
Department determined it would not require the claimants to repay 
the funds, the Department did not make an adjusting entry in CORE 
to reflect the overpayments, including reducing its federal revenues 
and expenditures and recording an amount due to the federal 
government and bad debt expense. In addition, the Department did 
not provide documentation to support the amount of the 
overpayments other than email correspondence, and it could not 
provide evidence that the entire $52.1 million overpayment was 


related to payments prior to June 30, 2020. 


CALCULATION ERROR IN ALLOWANCE ACCOUNT. The Department 
miscalculated an offset, or allowance, to a UI benefit overpayment 
receivable that it recorded to reflect overpayments that it does not 
expect to collect from claimants. The Department used its 
methodology for estimating the allowance, but made a calculation 
error that resulted in the Department understating the allowance 
and overstating the receivable by $7.4 million. After we notified the 


Department of the error, the Department corrected the entry. 


FAILURE TO RECORD A RECEIVABLE FOR IDENTIFIED FRAUDULENT 
OVERPAYMENTS. The Department identified fraudulent PUA 
payments totaling approximately $243,000 during Fiscal Year 
2020. For these identified payments, the claimant was not 
responsible for the identify theft fraud. The Department did not 


record a receivable and a payable to the federal government, or bad 
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debt expense for any of these fraudulent payments, and did not 


reduce its federal revenue. 


WHY DID THESE PROBLEMS OCCUR? 


The Department lacked adequate internal controls over its accounting 
for UI benefit payments, as follows: 


As of June 30, 2020, the Department had not adjudicated all claims 
that had received UI benefits during Fiscal Year 2020, and therefore 
could not estimate the amount of UI overpayments it had made due 
to error or fraud as of June 30, 2020. As of the end of our audit, the 
Department stated that approximately 206,000 standard UI issues, 
representing about 82,000 unique claimants, had not been 
adjudicated and remained outstanding for payments that were 
processed prior to June 30, 2020. Furthermore, the Department 
could not provide information relating to the number of claims that 
still needed to be reviewed for payments made under the PUA 
program. This issue will also be addressed in the Department of 
Labor and Employment section of our Statewide Single Audit 
Report, to be released in June 2021. 


STATE OF COLORADO STATEWIDE FINANCIAL AUDIT - FISCAL YEAR ENDED JUNE 30, 2020 


The Department lacked sufficient communication between its UI 
Program staff and accounting staff to consider the impacts of 
decisions made for the UI Program on the Department’s accounting 
records and, ultimately, the State’s financial statements. 


The Department did not have an adequate methodology for 
calculating and recording the estimated amount of receivables and 
payables for UI payments. Specifically, the Department’s current 
process requires that Department accounting staff record the 
receivables for established overpayments based on the benefit system 
once at fiscal year end, rather than during the year as overpayments 
are identified. 


WHY DO THESE PROBLEMS MATTER? 


Overall, the Department’s records did not permit us, nor was it practical 
to extend or apply other auditing procedures, to obtain sufficient, 
appropriate audit evidence to conclude that the receivable and payable 
balances in the Unemployment Insurance Fund as of June 30, 2020, 
were free of material misstatement. Further, due to the uncertainty 
surrounding the balances as a result of the significant number and 
amount of unadjudicated cases that were outstanding at fiscal year end, 
we issued a modified audit opinion on the State’s Fiscal Year 2020 
financial statements related to the Unemployment Insurance Fund and 
Business-Type Activities as a whole. 


Strong financial accounting internal controls are necessary to ensure 
that UI balances are accurate; free of material misstatement; supported 
by sufficient, appropriate evidence; and reported accurately on the 
State’s financial statements. Because the UI Program and its related 
activities are material to the State’s financial statements, errors related 
to the program can negatively affect the auditor’s opinion on the State’s 
financial statements, as they did for Fiscal Year 2020. 


CLASSIFICATION OF FINDING MATERIAL WEAKNESS 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-023 


The Department of Labor and Employment (Department) should 
improve its internal controls over its accounting for Unemployment 


Insurance (UI) benefit payments by: 


A Establishing a timeframe for adjudicating the backlog of 
outstanding claims, and establishing overpayments for any benefits 
that were paid in error and/or fraud. 
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B Developing and implementing an adequate communication process 


between its UI Program staff and accounting staff to consider the 
impact of program staff decisions on the Department’s accounting 
records and State’s financial statements, and to ensure that 
transactions are properly recorded in the Colorado Operations and 
Resource Engine. 


> Developing and implementing a methodology for calculating 


estimated receivables and payables for UI benefit payments, and 
recording receivables throughout the year as overpayments are 


established. 


RESPONSE 


DEPARTMENT OF LABOR AND 
EMPLOYMENT 


A AGREE. IMPLEMENTATION DATE: DECEMBER 2021. 


The UI Division processed and continues to process the outstanding 
backlog of claims in accordance with: requirements contained 
within the Colorado Employment Security Act, Executive Order D 
2020-12 and its extensions, Section 303(A)(1) of the Social Security 
Act, 20 CFR Part 602, Appendix A, Employment Security Manual 
(ESM), Part V, Section 6013, ETA Manual No. 301, UI Performs: 
Benefits Timeliness and Quality - Nonmonetary Determinations 
Quality Review, and Unemployment Insurance Program Letter 
(UIPL) 15-01. Additionally, the UI Division engaged with a vendor 
to assist with this work under all of the aforementioned 
requirements and will continue to utilize those additional services so 
long as merit staffing flexibility is provided through Congressional 
action. Unique challenges were caused by the COVID-19 pandemic, 
resulting in implementation of three new federal programs along 
with regular state unemployment benefits. Regular state claims for 
the preceding three fiscal years averaged 109,000 per year and did 
not require review of all claims. Claims submitted for regular state 


benefits in the recently closed fiscal year amounted to 548,000 with 
all requiring review to ensure proper account charging pursuant to 
EO D 2020-12. This represents five years volume of work with 
337,000 of those claims filed between March 15 and April 30,2020. 
We expect adjudication of the backlog of outstanding claims to be 


completed by the implementation date. 


AGREE. IMPLEMENTATION DATE: SEPTEMBER 2021. 


Finance now has metrics in each employee’s performance evaluation 
that requires written policies and procedures as part of the first step 
of the Finance Reorganization Plan. The UI Division and the Finance 
Office will strengthen communication and ensure there is mutual 
understanding of the impact of programmatic decisions on future 
accounting transactions. CDLE is committed to ensuring program 
and fiscal staff collaborate. Key UI Division Leadership, Finance 
Accountants, and Budget Analysts will attend regularly scheduled 
UI Budget meetings, Finance Accountants will be trained and cross 
trained and collaborate with UI program staff to ensure that all 
accounting transactions are properly recorded in the State’s 
accounting system, the Colorado Operations and Resource Engine 
(CORE). The UI Division recognizes this recommendation as a 
shared responsibility with the Finance Office and will develop a 
system of check-off lists to be maintained and reviewed on a semi- 
annual basis to ensure proper procedures and notification to the 
Finance Office is occurring on a regular basis. Creating these 
documents will prevent similar errors from occurring in future years 


regardless of leadership in place at that time. 


AGREE. IMPLEMENTATION DATE: SEPTEMBER 2021. 


One of the greatest impacts of COVID19 was, and continues to be, 
the increase in workload volume of regular state unemployment 
claims and related Finance activities. In 2020, regular 
unemployment claims equaled five years worth of work (548,000) 
and Pandemic Unemployment Assistance (PUA) claims equaled over 


one additional year of work (127,000). Historically, payables were 
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not recorded by CDLE due to the fact that benefit payments are 
made on a cash basis. Finance and UI will need to quantify and 
support, with data from MyUI+; what subsequent payments relate 
to the prior fiscal year in order to record payables. The SFY2020 
external audit revealed that Finance Accountants were not aware 
(until February 2021) of the need to capture additional receivables 
for Pandemic funding or for overpayments. Normally, receivables 
are adjusted based on reporting from the benefit payment system 
once a year. Comprehensive reports were not available from MyUI+ 
for the additional receivable adjustment for pandemic claims and 
overpayments for SFY2020. With more frequent budget to actual 
meetings; with the availability of comprehensive reporting from 
MyUI+, with the development of policies and procedures of 
accounting processes, and with the implementation of a checklist of 
activities; Finance can record receivables and payables on a 


consistent basis throughout the year. 


INTERNAL CONTROLS 
OVER FINANCIAL 
REPORTING 


The Department’s Accounting Section is responsible for all of the 
Department’s financial reporting, including the accurate and timely entry 
and approval of financial transactions into CORE. The Department is 
also responsible for providing additional information through the 
submission of OSC-required exhibits to assist the OSC in its preparation 


of the State’s financial statements and required note disclosures. 


In order for the OSC to meet its statutorily-required timeframes for the 
creation of the State’s financial statements, the OSC established various 
periods with specified closing dates in CORE for department entries. 
For example, for Fiscal Year 2020, Period 13, which was closed on 


August 4, 2021, was available for departmental entry of adjustments 


and represented the OSC’s closing of the State’s “official accounting 
records” by 35 days after fiscal year end, as required by state statute 
[Section 24-30-204(3), C.R.S.]. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to determine whether the 
Department had adequate internal controls in place over financial 
accounting and reporting during Fiscal Year 2020. In addition, the 
purpose of our work was to determine whether the Department 
complied with state requirements and OSC procedures related to 
financial accounting and reporting. 


We analyzed the Department’s CORE transactional data recorded after 
the State’s Fiscal Year 2020 statutory closing date of August 4, 2020, 
to identify the number and dollar amount of transactions that were 
processed after the OSC’s statutory deadline for closing the State’s 
accounting records. We also reviewed the Department’s exhibits that 
were submitted to the OSC for Fiscal Year 2020 year-end reporting and 
the related supporting documentation to determine whether 
Department staff prepared the exhibits in accordance with the OSC’s 
Manual. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured our results against the following criteria: 


State statute [Section 24-30-204(3), C.R.S.] requires the State’s 
“official accounting records” to be closed no later than 35 days after 
the end of the fiscal year. Specifically, for Fiscal Year 2020, the 
State’s accounting records were required to be closed by August 4, 
2020. As of this date, all departments’ adjusted revenue, 


expenditures, and expense accounts were required to be entered into 
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CORE. Any Fiscal Year 2020 entries made after that date were 
required to be approved by the OSC. 


State Fiscal Rule 1-2, Internal Controls, Rule 3.5, requires that state 
departments “implement internal accounting and administrative 
controls that reasonably ensure that financial transactions are 
accurate, reliable, conform to State Fiscal Rules, and reflect the 
underlying realities of the accounting transaction (substance rather 
than form).” Examples of these internal controls are written policies 
and procedures, periodic reconciliations of amounts to CORE, and 


periodic staff training on policies and procedures. 


The Manual references the Fiscal Year 2020 Open/Close Calendar 
published by the OSC, which states that the submission due dates 
for the majority of the exhibits is August 12, 2020. In addition, the 
Manual contains specific instructions for the completion of the 


exhibits. Specifically: 


Exhibit M, Custodial Credit Risk Related to Cash on Hand or 
Deposited with Financial Institutions, is used to report each 
department’s cash on hand and cash deposited in financial 
institutions by categories of risk. In addition, the Exhibit M 
reports the related cash balances recorded in CORE. 


Exhibit K1, Schedule of Federal Assistance, is used to report 
federal expenditure information for statewide compilation and 
reporting of the Schedule of Expenditures of Federal Awards 
(SEFA). Federal requirements issued by the Office of 
Management and Budget (OMB) [2 CFR 200, Uniform 
Administrative Requirements, Cost Principles, and Audit 
Requirements for Federal Awards, Appendix XI to Part 200— 
Compliance Supplement] requires that state unemployment 
insurance expenditures be included with federal unemployment 
insurance expenditures on the State’s SEFA; therefore, the full 
amount of state and federal unemployment insurance 
expenditures should be included on the Exhibit K1. Also, the 


OSC requires departments to report all monetary and non- 


monetary federal award amounts passed through to a 
subrecipient in a separate column on the Exhibit K1. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


Based on our audit testwork, we identified issues with the Department’s 
fiscal year-end accounting procedures and exhibit reporting. The 
specific issues we identified are as follows: 


The Department posted 142 entries totaling approximately 
$944.3 million between the State’s statutory closing deadline of 
August 4, 2020, and September 17, 2020, or up to 44 days after the 
closing deadline. Furthermore, based on our audit testwork, we 
determined that the Department did not consider the impacts of 
Unemployment Insurance overpayments and potential fraud to the 
accounting records as of fiscal year end, and did not record related 
entries in CORE. After we brought the issues to the Department’s 
attention, the Department submitted three entries totaling 
approximately $2.1 billion to the OSC to record liabilities and 
receivables for the Unemployment Insurance Fund on February 22, 
2021, more than 200 days after the State’s statutory closing period. 
See RECOMMENDATION 2020-023 for additional details. 


The Department submitted 6 of its 10 required exhibits (60 percent) 
13 to 15 days after the OSC deadline. In addition, we identified 
errors and omissions related to 2 of its 10 exhibits (20 percent). 


Specifically, we found the following issues: 


Exhibit M, Custodial Credit Risk Related to Cash on Hand or 
Deposited with Financial Institutions. For one of eight cash 
accounts included on the Departments Exhibit M, the 
Department incorrectly understated its CORE balance by 
$20.9 million. After we notified Department staff of the error, 
they submitted a corrected Exhibit M to the OSC. Additionally, 
for two cash accounts, the Department reported large differences 
totaling $226.6 million between the Department’s bank balances 


— 
T 
— 
— 
N 


YOLIGAV ALV.LS OGVUOTOO AHL AO LYOdAU 


II-118 


STATE OF COLORADO STATEWIDE FINANCIAL AUDIT - FISCAL YEAR ENDED JUNE 30, 2020 


and the amounts recorded in CORE on its Exhibit M. The 
Department could not provide evidence to support whether the 
balance in CORE, which was lower than the bank balance in 
both instances, was accurate or the reason for the differences. 
These two accounts are used by the Department to record 
unemployment insurance benefit transactions, including 
payments to individuals and reimbursements from the federal 


government. 


Exhibit K1, Schedule of Federal Assistance. The Department 
inappropriately omitted approximately $1.4 billion of the State’s 
Unemployment Trust Fund expenditures on the Exhibit K1. 
While these amounts are not federal expenditures, the State’s 
expenditures from the Unemployment Trust Fund are required 
to be reported on the SEFA. In addition, the Department 
inappropriately omitted $30.2 in payments to subrecipients on 
the Exhibit K1. After we notified Department staff of the errors, 
they submitted a corrected Exhibit K1 to the OSC. 


WHY DID THESE PROBLEMS OCCUR? 


The Department lacked sufficient internal controls over its financial 
accounting processes, including its fiscal year-end closing process for 
Fiscal Year 2020. Specifically, the Department did not have documented 
policies and procedures related to its accounting processes and exhibit 
preparation and review. In addition, the Department did not perform 
routine reconciliations between its bank and CORE balances 
throughout the year or at fiscal year end to identify, investigate, and 
correct, as applicable, reconciling items in a timely manner. Finally, the 
Department experienced staff turnover in key financial positions during 
Fiscal Year 2020, and existing employees were not adequately cross- 


trained to take on the required additional responsibilities. 


WHY DO THESE PROBLEMS MATTER? 


Strong financial accounting internal controls, including effective review 


processes and procedures over financial transactions, exhibits, and 


routine reconciliations, are necessary to ensure that balances are 
reported accurately and in accordance with rules and regulations. 
Without sufficient internal controls, the Department cannot ensure that 
it is providing timely, complete, and accurate financial information to 
the OSC and, ultimately, that the State’s financial statements are 


accurate. 


CLASSIFICATION OF FINDING MATERIAL WEAKNESS 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-024 


The Department of Labor and Employment should strengthen its 
internal controls over financial reporting to ensure the timely entry of 
fiscal year-end financial activity into the Colorado Operations Resource 


Engine (CORE) and accurate reporting of financial information by: 


A Developing and implementing policies and procedures for its 


accounting processes and exhibit preparation and review. 


iss) 


Performing reconciliations between its bank and CORE balances 
throughout the year and at fiscal year end to identify, document, 


and correct reconciling items in a timely manner. 


$ 


Cross-training existing employees on additional responsibilities to 
allow for appropriate delegation when turnover occurs. 
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RESPONSE 


DEPARTMENT OF LABOR AND 
EMPLOYMENT 


A AGREE. IMPLEMENTATION DATE: MARCH 2022. 


CDLE would like to provide context surrounding Fiscal Year 
2020 (SFY20). On February 20, 2020, CDLE lost both its 
Controller and Deputy Controller to transfers to another State 
agency. By the end of July, we lost two Accountant IIIs (one to 
another State agency), an Accountant I who transferred to 
another State agency and one Accountant II. Lastly, in August; 
we lost one of our two Accountant IVs, who had the 
responsibilities of cost allocation, schedule K-1, and supervising 
UI Accountants (who manage cash, subsystems, year end 
reconciliation of applicable grants, and reconciliation of UI bank 
accounts). These staff vacancies compromised our ability to 
timely and effectively close SFY20. Finance had fewer 
experienced accountants to complete all required tasks and meet 
deadlines. By June, it was obvious to the new Controller and the 
DED/CFO that there was inadequate documentation of financial 
policies and procedures and no cross training. As a result, the 
new Controller and the DED/CFO released a Finance 
Reorganization Plan on August 21st to address and remedy these 
issues. The development and release of the Finance 
Reorganization Plan is our first step toward hiring Accountants 
with state experience which will aid in the creation of policies 
and procedures, monitoring, timely review and completion of 
accounting processes up to and including activities and exhibits 
related to fiscal year end. 


AGREE. IMPLEMENTATION DATE: MARCH 2022. 


Prior Finance leadership left CDLE with inconsistent 
reconciliation practices, and inadequate written procedures. 


Once fully staffed, with technically capable individuals in the 


appropriate roles and responsibilities; we will remedy these 
issues. Our plan to address these deficiencies, includes but is not 
limited to, checklists/desk aids, written documentation of 
policies and procedures, training and cross training, and 
implementing monthly bank reconciliations throughout the year 
and at fiscal year-end to identify, document, and correct 
reconciling items in a timely manner. We project that it will 
require a year to be fully staffed, trained, and cross trained. 


AGREE. IMPLEMENTATION DATE: MARCH 2022. 


Prior Finance leadership left CDLE with inadequate available 
written procedures/business practices of which staff was aware. 
Positions were siloed, in other words, narrow in focus and based 
solely on programs/funding source. COVID19 impacted the 
Finance Division with increased volume of activities and 
transactions associated with Unemployment Insurance benefits. 
Areas impacted included UI fraud, Federal legislation, upcoming 
roll out of MyUI+, UI Trust Fund insolvency, special projects 
(including Lost Wages Assistance, and Polis Single Payment) and 
data reporting. The way in which communication and training 
could be performed while teleworking changed. In addition, 
budget cuts requiring furloughs, compounded our cross training 
deficiencies. With much care and thought, the Controller and the 
DED/CFO released a Finance Reorganization Plan. This Plan 
details the elimination of Accounting Technician positions and 
replacing them with more technically competent Accountants. 
The Plan also requires cross training and integration of 
performance metrics into employee performance evaluations. 
We are continuing to hire and to develop new technically 
competent accounting staff. We plan to train existing staff in 
support of our vision and to transfer institutional knowledge 
when turnover occurs. We expect that by 2022, we will be in 
that position. The CDLE Finance Reorganization Plan is 
available upon request. 
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DEPARTMENT OF LABOR AND 
EMPLOYMENT 


The following recommendation relating to an internal control 
deficiency classified as a SIGNIFICANT DEFICIENCY was communicated 
to the Department of Labor and Employment (Department) in the 
previous year, and has not been remediated as of June 30, 2020, because 
the original implementation dates provided by the Department are in a 
subsequent fiscal year. This recommendation can be found in the 
original report and SECTION III: PRIOR FINANCIAL RECOMMENDATION 
of this report. 


AUGUST 2020 
CURRENT REC. NO. 2020-025 PRIOR REC. NO. 2019-026 IMPLEMENTATION DATE 


A 
B SEPTEMBER 2020 
C JUNE 2021 

D SEPTEMBER 2020 


CLASSIFICATION SIGNIFICANT DEFICIENCY 


LEGISLATIVE 
DEPARTMENT 


The Legislative Department (Department) is comprised of six individual 
agencies, which include: 


GENERAL ASSEMBLY. Colorado’s State Legislature is called the 
General Assembly. The Colorado Constitution grants the 
lawmaking power and thus, the public policy-making power of the 
State, to the General Assembly. There are 100 elected members 


serving as Legislators—35 senators and 65 representatives. 


JOINT BUDGET COMMITTEE (JBC). The JBC is the fiscal and 
budget review agency for the State and is comprised of six members 
of the General Assembly. The JBC works year-round and has a full- 
time staff. The JBC studies the programs, management, operations, 
and fiscal needs of all state agencies and reviews budget requests and 
holds hearings with agency managers. The JBC also reviews capital 
construction and controlled maintenance recommendations made 


by the Capital Development Committee. 


LEGISLATIVE COUNCIL. The Legislative Council Committee is 
an 18-member body comprised of six members of the Senate, six 
members of the House, and the six-member Executive Committee. 
The Executive Committee, which is comprised of the President of 
the Senate, the Speaker of the House of Representatives, and the 
majority and minority leaders of both houses, is the governing body 
of the Legislative Branch. Legislative Council Staff provides 
nonpartisan services to the General Assembly, including 
Information Technology, central accounting, constituent services, 
research services, fiscal analysis, economic forecasting, visitor 


services, printing, and committee staffing services. 
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OFFICE OF THE STATE AUDITOR (OSA). The State Auditor was 
established in the State’s Constitution and serves as the State’s 
independent, external auditor. The State Auditor is appointed by a 
majority vote of both houses of the General Assembly to serve for a 
term of five years and must be a certified public accountant licensed 
to practice in Colorado. The duties of the State Auditor are to 
conduct performance and financial audits of all state departments, 
institutions, and agencies of state government and to conduct special 
audits of any department, institution, or agency at the request of the 
Governor or a member of the General Assembly, upon a majority 
vote of the Legislative Audit Committee. In addition, the OSA 
examines all reports submitted by local governments under the Local 
Government Audit Law, administers the OSA Fraud Hotline, and 


conducts tax expenditure evaluations on a 5-year cycle. 


OFFICE OF LEGISLATIVE LEGAL SERVICES. The Committee on 
Legal Services consists of 10 members of the General Assembly: the 
chairpersons of the Senate and House Judiciary Committees; four 
members from the Senate appointed by the President, two from each 
party; and four members from the House of Representatives 
appointed by the Speaker, two from each party. The Committee on 
Legal Services appoints a director who is an attorney-at-law. The 
director appoints a professional staff which includes attorneys-at- 
law and technical and clerical personnel to assist in the operation of 


the Office of Legislative Legal Services. 


REDISTRICTING COMMISSIONS. Colorado voters approved 
two amendments, Amendments Y and Z, to the Colorado 
Constitution in 2018, which established and required two separate 
independent commissions for congressional and state legislative 
redistricting. Each commission comprises 12 members who are 
chosen by a three-judge panel from a pool of applicants. Legislative 
leadership is given an opportunity to provide input on eight of the 
members who are selected from the pool to represent the two major 
political parties. The three-judge panel chooses the final four 


commissioners from those applicants who are unaffiliated with a 


II-125 


political party. The Commission has nonpartisan staff who are 
responsible for creating and making public the commissioner 
applications, vetting the applicants, staffing the three-judge panels 
and the commissions, and drawing and amending maps based on 
constitutional parameters and feedback from the commissioners and 
the public. The redistricting commissions were not active during 
Fiscal Years 2019 or 2020. 


For Fiscal Year 2020, the Department was appropriated approximately 
$56.7 million and 307 full-time equivalent (FTE) staff. 
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The following charts show the appropriations by funding source and 
FTE staff by major areas, respectively, within the Department for Fiscal 
Year 2020. 


LEGISLATIVE DEPARTMENT 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 
CASH AND 


REAPPROPRIATED 
FUNDS $1.5 


GENERAL 
FUNDS 
$55.2 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


Il-126 


LEGISLATIVE DEPARTMENT 
FISCAL YEAR 2020 FULL-TIME EQUIVALENT STAFF 
BY MAJOR AREAS 
OFFICE OF 

LEGISLATIVE GENERAL 
LEGAL ASSEMBLY 

SERVICES a 73 

57 
JOINT 
BUDGET 
COMMITTEE 
16 


OFFICE OF THE 
STATE AUDITOR- 


79 ~ LEGISLATIVE 


COUNCIL 
82 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


The following comment was prepared by the public accounting firm of 
McGee, Hearne & Paiz, LLP, which performed the Fiscal Year 2020 
audit work at the Department under contract with the Office of the 
State Auditor. 
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ACCOUNTING 
CONTROLS— 
INACCURATE 
PREPARATION AND 
TIMELINESS OF 
FINANCIAL STATEMENTS 
AND EXHIBIT J 


The Department’s financial activity is managed through two separate 
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and distinct accounting processes and personnel. Specifically, the OSA 
maintains accounting internal controls and records separate from the 
remaining five agencies of the Department, which are maintained by 
Legislative Council Staff (LCS). For financial reporting purposes, the 
OSA’s Controller provides accounting records to LCS’s Controller, who 
is ultimately responsible for preparing the Department’s financial 
statements and for reporting the financial statement information for the 
Department as a whole to the Office of the State Controller (OSC) 
through exhibit submissions. The financial statements and exhibits are 
required to be accurate, submitted on a timely basis, and representative 
of the Department’s financial information for the fiscal year. The 
financial statements and exhibits are provided to the external auditors 
who subject them to testing in order to ensure the State’s overall 


aggregate financial statement reporting is complete and accurate. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to determine whether the 
Department had adequate internal controls in place over, and complied 
with, applicable requirements related to its financial accounting and 


reporting processes for Fiscal Year 2020. 
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As part of our audit, we performed testing of the Department’s internal 
controls over various financial processes, including the Department’s 
preparation of its Fiscal Year 2020 financial statements and Exhibit J, 
Financial Statement Report. The OSC requires state departments that 
prepare separate standalone financial statements to prepare the Exhibit 
J, which requires departments to reconcile the financial statements to 
the Colorado Operations Resource Engine (CORE), the State’s 
accounting system. Our testing included comparing the Department’s 
financial statements to Exhibit J and the related supporting 
documentation to determine whether the Department prepared the 
financial statements and Exhibit J accurately and in accordance with the 
OSC’s Fiscal Procedures Manual (Manual). 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


The Manual [Chapter 1, Section 3.3, State of Colorado Accounting 
Organization Objectives and Section 3.7a, State of Colorado 
Accounting Organization Shared Responsibilities] requires state 
departments to “establish internal controls for their departments” in 
order to “maintain an internal control environment that enhances 
sound business practices, clearly defines roles, responsibilities, and 
accountability, and provides for the prevention and detection of 
fraudulent activity.” This includes maintaining internal controls over 
the preparation of applicable exhibits for submission to the OSC, per 


the requirements of the Manual. 


The Exhibit J is required to be prepared and submitted to the OSC by 
departments that prepare separately issued financial statements, such as 
the Department. The Exhibit J is used to reconcile the Department’s 
account balances contained in CORE to the Department’s financial 
statements. State statute [Section 24-30-204, C.R.S.] requires that 
department financial statements be submitted annually to the OSC no 
later than August 25, subject to any extensions that may be granted by 
the OSC; the OSC requires departments to submit their financial 


statements and related notes to the OSC with the Exhibit J. The 
Department’s final Fiscal Year 2020 reporting due date for the Exhibit 
J, after OSC-provided extensions, was September 2, 2020. 


The Department is also responsible for preparing its standalone 
financial statements and related note disclosures in compliance with 
generally accepted accounting principles (GAAP). Governmental 
Accounting Standards Board Statement No. 72, Fair Value 
Measurement and Application, requires that investments be measured 


at fair value. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


The Department’s June 30, 2020, cash balances on deposit with the 
State Treasurer, as reported in its Fiscal Year 2020 financial statements, 
were understated by $542,621 due to the Department’s failure to record 
an adjustment to increase its fiscal year-end pooled cash and investment 
balances from the cost basis to fair market value. The Department also 
reported the incorrect cash balances to the OSC on its financial 
statements and Exhibit J. Further, the Department submitted its 
financial statements and Exhibit J to the OSC on September 14, 2020, 
which was 12 days after the required submission date. We also 
experienced delays in receiving requested supporting documentation for 
purposes of testing the accuracy and completeness of the financial 
statements and the Exhibit J. 


WHY DID THESE PROBLEMS OCCUR? 


In November 2019, the Department experienced turnover in LCS’s 
Controller position, who is tasked with the review of financial activity 
entered in CORE by the accounting staff, preparation of the 
Department’s financial statements, and submission of all exhibits to the 
OSC, including the Exhibit J. Although the Department filled the 
position after 2 months, the Department lacked documented procedures 


for the position and provided only minimal training to the new 


H-129 


AOLIAAV ALV.LS OAVAOTOO AHL AO LYUOdAU 


II-130 


STATE OF COLORADO STATEWIDE FINANCIAL AUDIT - FISCAL YEAR ENDED JUNE 30, 2020 


Controller related to financial statement and Exhibit J preparation. 
Further, the Department does not have a process in place for cross- 
training of these processes among staff. The Department also did not 
have a supervisory review process in place over preparing the financial 
statements and exhibits during Fiscal Year 2020 or sufficient controls 
to ensure they were completed and submitted to the OSC in a timely 


manner. 


WHY DO THESE PROBLEMS MATTER? 


A lack of sufficient internal controls, including a lack of an adequate 
and timely review process, ultimately threatens the integrity of the 
State’s financial statements by potentially affecting the accuracy and 
completeness of the financial reporting information contained in the 
financial statements and accompanying notes necessary for compliance 
with GAAP. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-026 


The Legislative Department should improve its internal controls over 
fiscal year-end financial reporting by: 


A Documenting the procedures and related supporting documentation 
necessary to prepare the Office of the State Controller’s (OSC) 
required exhibits and the related standalone financial statements to 
ensure consistent, accurate, and timely reporting of the information 
to the OSC and the external auditors. 


iss) 


Implementing a documented review of all exhibits to be submitted 
to the OSC by a person who is not the exhibit preparer. 


C 


D 


Ensuring that all staff involved in the preparation and review 
processes established through PART B of this recommendation 
receive adequate training to ensure the exhibits are accurate and 
comply with the OSC submission requirements. 


Providing sufficient cross-training of accounting personnel in regard 
to the key preparation and review controls related to the exhibits, 
so that in the event of turnover or unexpected leaves of absence, the 
controls will continue to operate as designed. 


RESPONSE 


A 


LEGISLATIVE DEPARTMENT 


AGREE. IMPLEMENTATION DATE: JUNE 2021. 


We agree and have already discussed the assembly of a fiscal year- 
end financial reporting procedural manual. The controller will 
assemble the manual to cover year-end processes for closing the 
fiscal year, and the preparation of the correlating financial 
statements. 


AGREE. IMPLEMENTATION DATE: AUGUST 2021. 
The controller will present and review all exhibits with the 


Legislative Council Director prior to the submission deadline. A 
reviewed and signed copy by the Legislative Council Director will 
be kept on file with our year-end close files. 


AGREE. IMPLEMENTATION DATE: APRIL 2021. 


In order to ensure the exhibits are accurate and comply with OSC 
submission requirements, the Legislative Council Controller will 
document attendance to the open and close training facilitated by 
the OSC each year. The Controller’s active participation in this 
yearly training will ensure that there is an understanding of any 
newly implemented requirements, and will also give an opportunity 
to clarify any areas of uncertainty in producing the department’s 
exhibits. 
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D AGREE. IMPLEMENTATION DATE: JUNE 2021. 


In conjunction with recommendation “A,” the accounting staff will 
begin cross training on key processes outlined in the new procedural 


manual. 
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DEPARTMENT OF LOCAL 
AFFAIRS 


The Department of Local Affairs (Department) is responsible for 
strengthening local communities by providing strategic training, 
research, technical assistance, and funding to localities. There are five 


separate divisions within the Department as follows: 


EXECUTIVE DIRECTOR’S OFFICE. This office provides 
leadership and support for the other Department divisions, 
including communications and media relations, legislative liaison, 


human resources, budgeting, and finance. 


BOARD OF ASSESSMENT APPEALS. This board hears appeals 
filed by real and personal property owners regarding the valuation 


placed on their property. 


DIVISION OF HOUSING. This division provides state and federal 
funding to increase the inventory of affordable housing and to offer 
Housing Choice Voucher rental assistance statewide. The Housing 
Choice Voucher program, formerly known as Section 8, funded by 
the U.S. Department of Housing and Urban Development (HUD) 
contracts with public housing authorities and non-profit 
organizations to assist low-income families, the elderly, and the 
disabled to afford decent, safe, and sanitary housing in the private 


market. 


DIVISION OF LOCAL GOVERNMENTS. This division provides 
technical information to local governments on available federal and 
state programs, performs research on local government issues, and 
provides information to the Governor and General Assembly on 


local government needs and problems. 
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DIVISION OF PROPERTY TAXATION. This division coordinates 
and administers the implementation of property tax law throughout 
the State. 


For Fiscal Year 2020, the Department was appropriated approximately 
$349.1 million and 189 full-time equivalent (FTE) staff. 


The following charts show the appropriations by funding source and 
FTE staff by major areas, respectively, within the Department for Fiscal 
Year 2020. 


DEPARTMENT OF LOCAL AFFAIRS 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 


FEDERAL FUNDS 
$82.0 


REAPPROPRIATED 
FUNDS 
$12.6 CASH FUNDS 


$205.7 


GENERAL FUNDS 
$48.8 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


DEPARTMENT OF LOCAL AFFAIRS 
FISCAL YEAR 2020 FULL-TIME EQUIVALENT STAFF 
BY MAJOR AREAS 


EXECUTIVE 
DIRECTOR'S 
OFFICE 

14 


DIVISION OF LOCAL 


GOVERNMENT PROPERTY 
65 TAXATION 
50 


DIVISION OF HOUSING 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


The following comment was prepared by the public accounting firm of 
Eide Bailly, LLP, which performed the Fiscal Year 2020 audit work at 
the Department under contract with the Office of the State Auditor. 


CORE—INFORMATION 
SECURITY 


Government Auditing Standards allow for information that is 
considered sensitive in nature, such as detailed information related to 
information technology system security, to be issued through a separate 
“classified or limited use” report because of the potential damage that 
could be caused by the misuse of this information. We consider the 
specific technical details of this finding, along with the response, to be 
sensitive in nature and not appropriate for public disclosure. Therefore, 
the details of the following finding and response have been provided to 


the Department in a separate, confidential memorandum. 


The Colorado Operations Resource Engine (CORE) is the State’s 


accounting system. The Department of Personnel & Administration’s 
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Office of the State Controller (OSC) developed policies which apply to 
all state departments outlining the requirements for regulating employee 
access to the system. The Department is responsible for compliance with 
the OSC’s CORE policies. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether the 


Department had CORE information security controls in place. 


We interviewed Department staff and performed procedures to test the 


Department’s IT internal controls over CORE information security. 


HOW WERE THE RESULTS OF THE AUDIT 
WORK MEASURED? 


We measured the results of our work against the OSC’s CORE policies. 


WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 


Based on our work, we found that the Department did not ensure full 
compliance with the OSC’s CORE policies during Fiscal Year 2020. 


WHY DID THE PROBLEM OCCUR? 


Department staff did not communicate in a timely manner with the 


CORE security administrator. 


WHY DOES THIS PROBLEM MATTER? 


The Department is responsible for its information contained in CORE 
and ensuring compliance with the OSC’s CORE policies. By not 


ensuring compliance, the Department is at an information security risk, 


which could have an adverse impact on the confidentiality, integrity, 
and availability of the data within CORE. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-027 


The Department of Local Affairs should improve information security 
controls over the Colorado Operations Resource Engine by mitigating 


the information security problems noted in the confidential finding. 


RESPONSE 
DEPARTMENT OF LOCAL AFFAIRS 


AGREE. IMPLEMENTATION DATE: JANUARY 2021. 


The Department will implement this recommendation by mitigating the 


specific problems noted in the confidential finding. 
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DEPARTMENT OF 
PERSONNEL & 
ADMINISTRATION 


The primary function of the Department of Personnel & Administration 
(Department) is to support the business needs of the State’s Executive 
Branch. The Department administers the classified personnel system, 
comprising 34,650 full-time equivalent (FTE) employees across the 
State—excluding the Department of Higher Education, which includes 
the State’s higher education institutions—and providing general support 
for state departments. The Department includes the following divisions 


and offices: 

= Executive Director’s Office 

= Division of Central Services 

= Division of Accounts and Control 
= Division of Human Resources 

= Office of Administrative Courts 


= Constitutionally Independent Entities Division, including the State 
Personnel Board 


= Division of Capital Assets 


For Fiscal Year 2020, the Department was appropriated approximately 
$211.0 million and 405 FTE staff. 


The following charts show the appropriations by funding source and 
FTE staff by major areas, respectively, within the Department for Fiscal 
Year 2020. 
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DEPARTMENT OF PERSONNEL & ADMINISTRATION 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 


CASH FUNDS 
$14.5 


GENERAL FUND 
$17.1 


REAPPROPRIATED 
FUNDS 
$179.4 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


DEPARTMENT OF PERSONNEL & ADMINISTRATION 
FISCAL YEAR 2020 FULL-TIME EQUIVALENT STAFF 


BY MAJOR AREAS 
DIVISION OF EXECUTIVE 
CAPITAL ASSETS DIRECTOR'S 


74 OFFICE 


37 


ADMINISTRATIVE DIVSION OF 


COURTS CENTRAL 
45 SERVICES 
122 
CONSTITUTIONALLY 
INDEPENDENT ENTITIES 
5 
DIVISION OF DIVISION OF 
ACCOUNTS AND HUMAN 
CONTROL RESOURCES 
75 47 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


OFFICE OF THE STATE CONTROLLER 


The Office of the State Controller (OSC) is located within the 
Department’s Division of Accounts and Control. The OSC is 


responsible for managing the State of Colorado’s financial affairs, 


which includes (1) the preparation and submission of the State’s 
financial statements to the Governor and General Assembly by the 
statutorily-required September 20 due date, referred to as Financial 
Statements, (2) preparation and issuance of the State’s audited 
Comprehensive Annual Financial Report (Annual Report), and (3) the 
preparation of the State’s Schedule of Expenditures of Federal Awards 
(SEFA) that reports the total federal awards expended by the State 


during the fiscal year. 


The OSC is the functional business owner of the Colorado Operations 
Resource Engine (CORE), the State’s accounting system. As such, the 
OSC is responsible for providing guidance to the various state 
departments on the use of CORE, overseeing certain access and 
information security requirements of the system, and ensuring that the 


system is working as intended. 


INTERNAL CONTROLS 
OVER FINANCIAL 
REPORTING 


The OSC must prepare the Financial Statements in accordance with 
generally accepted accounting principles (GAAP), as required by state 
statute [Section 24-30-204(1), C.R.S.]. The overall objective of GAAP 
is to create consistency in financial reporting to ensure reliable, concise, 
and understandable information. The Governmental Accounting 
Standards Board (GASB) establishes GAAP for state and local 
government entities through the issuance of GASB statements, which 
the OSC must comply with when preparing the Financial Statements 
and Annual Report. 


Because governmental operations are diverse and constrained by 
numerous legal and fiscal requirements, a basic principle of 
governmental GAAP is fund accounting. A fund represents part of the 


activities of an organization, so that each fund separates its activities in 
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the accounting records and has a self-balancing set of accounts. In order 
to more easily demonstrate compliance with legal restrictions or 
limitations, governmental transactions and balances are accounted for 


through separate funds across several sets of financial statements. 


In preparing the Financial Statements, Annual Report, and SEFA, the 
OSC compiles financial information from the State’s departments, 
agencies, and higher education institutions. The OSC requires 
departments, agencies, and institutions to provide certain financial and 


federal expenditure information to the OSC through exhibits. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to review the OSC’s internal 
controls over its Financial Statements, Annual Report, and SEFA 
reporting responsibilities during Fiscal Year 2020. This included 
determining whether the OSC prepared these accurately, completely, 
and in accordance with GAAP. 


Additionally, we reviewed the OSC’s progress in implementing our 
Fiscal Year 2019 audit recommendation related to the OSC’s financial 
reporting responsibilities. At that time, we recommended the OSC 
strengthen its internal controls, such as implementing an expanded 
supervisory review process over financial reporting, to ensure that the 
Financial Statements and Annual Report are accurate and prepared in 
accordance with GAAP. 


As part of our audit work, we tested the effectiveness of the OSC’s 
internal controls over the preparation and review of the Fiscal Year 
2020 Financial Statements, Annual Report, and SEFA, which included 
the following: 


= Reviewing the Financial Statements and Annual Report for 
accuracy, completeness, and compliance with GAAP. 


Reviewing the OSC’s exhibits and exhibit instructions contained 
within the OSC’s Fiscal Procedures Manual (Manual), including the 
OSC’s Exhibit K1, Schedule of Federal Assistance, and the OSC’s 
related policies and procedures, to determine whether the OSC 
followed its own procedures when compiling Exhibit K1s submitted 
by departments and higher education institutions for SEFA 
preparation. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


State statutes, State Fiscal Rules, GAAP, and the OSC’s Manual outline 


various requirements for the State Controller. Specifically: 


Section 24-30-204(1), C.R.S., requires that the State Controller 
prepare Financial Statements in accordance with GAAP and submit 
them to the Governor and the General Assembly each year no later 
than September 20. 


GASB Statement No. 34, Basic Financial Statements—and 
Management’s Discussion and Analysis—for State and Local 
Governments, states that each of the financial statements should 
“ report separate columns for the General Fund, and for other 
major...funds.” Further, it defines major funds as those funds 
having significant assets, liabilities, revenues, and expenditures in 
comparison to other funds included in the Financial Statements and 
Annual Report, based on a prescribed calculation. 


The OSC’s FY 2020 Exhibit Instructions state that, “Revised 
exhibits are due as soon as practical once an error in the original 


submission has been identified.” 


State Fiscal Rule 1-2, Internal Controls, states that the OSC “shall 
implement internal accounting and administrative controls that 
reasonably ensure that financial transactions are accurate, reliable, 


[and] conform to the Fiscal Rules...” 
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= According to the OSC’s Internal Control System policy, state 
agencies shall use the Standards for Internal Control in the Federal 
Government (Green Book), published by the U.S. Government 
Accountability Office, as its framework for its system of internal 
control. Green Book Paragraph OV2.14, Roles in an Internal 
Control System, states that management is responsible for designing 
an internal control system. This should include controls over the 
preparation of external financial reporting in accordance with 


professional standards and applicable laws and regulations. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


The OSC did not fully implement our Fiscal Year 2019 audit 
recommendation related to internal controls over financial reporting 
during Fiscal Year 2020. Specifically, the OSC did not strengthen 
existing policies and procedures for reviewing the State’s Financial 
Statements and Annual Report in sufficient detail to detect and correct 


significant issues. 


During our testing of the OSC’s Fiscal Year 2020 Financial Statements, 
Annual Report, and SEFA, we discovered several errors that were not 
identified and corrected through the OSC’s preparation and review 
processes, as follows: 


= The OSC failed to present the Highway Users Tax Fund (HUTF), 
which included $1.3 billion in assets, $343.1 million in liabilities, 
$2.0 billion in revenues, and $2.4 billion in expenses, as a major 
fund in a separate column in either report as required by GASB 
Statement No. 34. Instead, the OSC included HUTF activity as part 
of the Other Governmental Funds column. After we notified the 
OSC, they corrected the error and presented HUTF activity within 


its own column as a separate major fund in the Annual Report. 


= The OSC overstated the SEFA expenditures for one federal grant by 
approximately $8.2 million. The OSC subsequently corrected the 
error on the SEFA. 


= During our testing, we also identified 37 additional errors within 
7 of 22 (32 percent) note disclosures; Management’s Discussion and 
Analysis, a section in the Annual Report intended to discuss key issues 
which may not otherwise be apparent to the reader; and 
supplementary cash flow information. These errors were significant 
individually, or when combined, to either the Financial Statements or 
Annual Report. For example, these errors included the following: 


In one note disclosure, a table presenting a breakdown of 
depreciation expense was presented as being rounded to the 
nearest thousand, but the table included actual depreciation 
expense amounts. Thus, it could appear to a financial statement 
user that total depreciation expense in the note disclosure was 
about $1 trillion more than it is. 


In another note disclosure, due to a typographical error, the OSC 
overstated pledged revenue by $700 million for one higher 
education institution, and did not agree to the underlying exhibit. 


The OSC incorrectly reported in the note disclosures a 
combination of insurance coverage, debt, and financial 
guarantees totaling about $1 billion. The amounts did not agree 
to the underlying exhibits submitted by departments or higher 


education institutions. 


The OSC did not include $108.7 million of supplementary cash 
flow information that was reported on an agency’s standalone 


financial statements. 


The OSC updated an entire note disclosure section about 
Taxpayer’s Bill of Rights revenues, liabilities, and reserves with 
Fiscal Year 2020 information in the Financial Report, but 
inadvertently replaced it with the Fiscal Year 2019 note disclosure 
in the first draft of the Annual Report. 


= We also identified 16 instances in which amounts contained on the 
SEFA, Financial Statements, and Annual Report did not agree to the 
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exhibits prepared and submitted by departments and higher 
education institutions. Specifically, the OSC used different amounts 
than those submitted on three Exhibit K1s to create the SEFA, and 
13 other exhibits to create note disclosures in the Financial 
Statements and Annual Report. After we notified the OSC of these 
issues, the OSC indicated that, in some instances, it changed 
information reported on these exhibits without obtaining either a 
revised exhibit or additional information from the department or 
higher education institution. We were able to verify that final 
amounts reported in the SEFA, Financial Statements, and Annual 
Report were correct and amounts contained on the exhibits 
prepared by departments and higher education institutions were 
incorrect in these instances. Changes not reported on revised 
exhibits totaled $944.3 million. 


WHY DID THESE PROBLEMS OCCUR? 


The OSC did not have effective internal controls in place over its Fiscal 
Year 2020 financial reporting. Specifically, the OSC did not 
appropriately design, or require staff to follow, its procedures or 
otherwise ensure that the Financial Statements, Annual Report, and 
SEFA were prepared and reviewed appropriately, and that errors were 
identified and corrected, as follows: 


The OSC lacked a process for conducting an analysis of major funds 
presented in the Financial Statements when significant changes are 
made to the underlying accounting records. 


The OSC did not follow its procedures to collect updated exhibits 
from the departments, agencies, and higher education institutions to 
complete the Financial Statements, Annual Report, or the SEFA. 
Instead, the OSC completed, calculated, or changed amounts on the 
exhibits themselves, including Exhibit K1s, and did not require the 
departments, agencies, or higher education institutions to submit 
revised exhibits. 


WHY DO THESE PROBLEMS MATTER? 


If robust internal controls over financial reporting and the related 
preparation are not in place and operating effectively within the OSC, 
it can result in the Financial Statements or Annual Report being 
materially misstated, which could lead users of these statements, 
including the Governor and General Assembly, to make decisions based 
on inaccurate information. When the OSC circumvents its internal 
control processes by not requiring revised exhibits to correct identified 
errors, it increases the risk that the information presented in the 
Financial Statements, Annual Report, and SEFA will be incorrect and 
differ from department, agency, or higher education institution records. 


CLASSIFICATION OF FINDING MATERIAL WEAKNESS 
THIS FINDING APPLIES TO PRIOR AUDIT RECOMMENDATION 2019-030E 


RECOMMENDATION 
2020-028 


The Department of Personnel & Administration’s Office of the State 
Controller (OSC) should strengthen internal controls over financial and 
federal reporting to ensure that the OSC’s preparation of the State’s 
Financial Statements, Comprehensive Annual Financial Report (Annual 
Report), and Schedule of Expenditures of Federal Awards (SEFA), 
detect and correct material misstatements. This should include the 


following: 


A Evaluating the OSC’s internal controls over preparing and reviewing 
the Financial Statements and Annual Report to ensure their 
effectiveness in identifying and correcting significant issues, such as 
those identified in the audit. This should include ensuring that OSC 
staff implement and perform an analysis of major funds when 


significant changes are made to the underlying accounting records. 
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B 


Ensuring that information contained in the Financial Statements, 
Annual Report, and SEFA is supported by information provided by 
departments, agencies, and higher education institutions, by either 
requiring them to complete and/or update exhibits submitted to the 
OSC, as applicable, or implementing an alternative process to ensure 
that changes made by the OSC are communicated and reconciled 


with source documentation. 


RESPONSE 


OFFICE OF THE STATE CONTROLLER 


A AGREE. IMPLEMENTATION DATE: JUNE 2021. 


The Office of the State Controller agrees with this recommendation. 
In preparation for the Fiscal Year 2021 financial audit, the OSC will 
continue to evaluate, and modify as needed, its internal controls over 
financial reporting and financial statement review processes. In 
addition, the OSC will revise its documented process for major fund 
determination by requiring an analysis of major funds when 
significant changes to the general ledger occur due to post-closing 


journal entries. 


AGREE. IMPLEMENTATION DATE: JUNE 2021. 


The Office of the State Controller agrees with this recommendation. 
The OSC will evaluate and make revisions, as applicable, to existing 
processes for collection of exhibits and other documentation 
supporting financial statements and related disclosures to ensure 


they reconcile to department and institution source documentation. 


CORE INFORMATION 
SECURITY 


The OSC has overall responsibility for the State’s financial information 
recorded in CORE. The OSC works closely with CORE’s third-party 
service organization, CGI, which maintains and houses the CORE 
system infrastructure components in its remote hosting facilities. As part 
of the contract between CGI and the State, CGI is required to provide 
an annual internal controls audit report, which covers those controls 
that CGI applies to its primary hosting facility and the associated 
control activities provided to the State. To meet this contractual 
requirement, CGI contracts with an independent service auditor to 
perform an examination of its internal controls. Those examination 
results are provided to the OSC on an annual basis in the form of a 
Service and Organization Controls (SOC) 1, Type II report (SOC 1). 
Database controls supporting the CORE system should be included in 
the SOC 1 report, providing assurance to the OSC of reliable data 
within CORE. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of our audit work was to determine whether the OSC 
implemented our Fiscal Year 2018 CORE Information Security 
recommendation to work with CGI to ensure that the SOC 1 report 
covers appropriate database controls relevant to financial reporting. We 
originally identified this issue during our Fiscal Year 2017 audit. We 
performed our audit work through inquiry of OSC staff, as well as 


inspection of supporting documentation. 
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HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


According to the OSC’s Internal Control System policy, state agencies 
must use the Green Book as the framework for their systems of internal 
control. The Green Book Section 4, Additional Considerations, 
indicates that management retains responsibility for the performance of 
processes assigned to service organizations, and further indicates that 
management needs to understand the controls each service organization 
has designed, implemented, and operates for the assigned operational 
process, and how the service organization’s internal control system 


impacts the entity’s internal control system. 


WHAT PROBLEM DID THE AUDIT WORK 
IDENTIFY? 


During our Fiscal Year 2020 audit work, we found that the OSC 
worked with CGI to obtain quotes for the additional cost to include 
database controls within the CORE SOC 1 report. However, a contract 
amendment with CGI to include database controls was not executed 
until August 2020, after the audit period for the Fiscal Year 2020 
CORE SOC 1 report. 


WHY DID THIS PROBLEM OCCUR? 


OSC funding, through the Fiscal Year 2021 Long Bill, is not available 
until Fiscal Year 2021 to make the change to the CORE SOC 1 report. 


WHY DOES THIS PROBLEM MATTER? 


Without appropriate database controls included within the CORE SOC 
1 report, there is an increased risk that the OSC would not be able to 
rely on the data underlying the State’s financial information, which 
could lead to misstatements of the State’s financial statements or 


potential undetected fraudulent activity. 


CLASSIFICATION OF FINDING MATERIAL WEAKNESS 


THIS FINDING APPLIES TO PRIOR AUDIT RECOMMENDATIONS 2019-035 AND 
2018-032 


RECOMMENDATION 
2020-029 


The Office of the State Controller should strengthen information 
technology controls over the Colorado Operations Resource Engine 
(CORE) system by continuing to work with CGI to ensure that the 
System and Organization Controls (SOC) 1, Type II report for Fiscal 
Year 2021 covers appropriate database controls relevant to financial 


reporting. 


RESPONSE 
OFFICE OF THE STATE CONTROLLER 


AGREE. IMPLEMENTATION DATE: SEPTEMBER 2021. 


The Office of the State Controller agrees with this recommendation. 
The funding to include database controls relevant to financial reporting 
was approved for the Fiscal Year 2021 Long Bill and a contract 
amendment to include the testing of these controls in the SOC 1, Type 
II Report with CGI was executed in August 2020. The Fiscal Year 2021 
SOC 1, Type II Report, which was also amended to align with the 
State’s fiscal year, is expected to be provided by CGI in September 2021. 
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DEPARTMENT OF PERSONNEL 
& ADMINISTRATION 


The following recommendations relating to internal control deficiencies 
classified as a MATERIAL WEAKNESS or SIGNIFICANT DEFICIENCY were 
communicated to the Department of Personnel & Administration 
(Department) in the previous year, and have not been remediated as of 
June 30, 2020, because the original implementation dates provided by 
the Department are in a subsequent fiscal year. These recommendations 
can be found in the original report and SECTION III: PRIOR FINANCIAL 
RECOMMENDATIONS of this report. 


DECEMBER 2020 
DECEMBER 2020 
DECEMBER 2022 
DECEMBER 2020 
[1] 


CURRENT REC. NO. 2020-030 PRIOR REC. NO. 2019-030 IMPLEMENTATION DATE 


MOOS 


CLASSIFICATION MATERIAL WEAKNESS 


A DECEMBER 2020 
CURRENT REC. NO. 2020-031 PRIOR REC. NO. 2019-032 IMPLEMENTATION DATE B DECEMBER 2020 

C DECEMBER 2020 
CLASSIFICATION MATERIAL WEAKNESS 


CURRENT REC. NO. 2020-032 PRIOR REC. NO. 2019-033 IMPLEMENTATION DATE SEPTEMBER 2020 
CLASSIFICATION SIGNIFICANT DEFICIENCY 


[1] This part of the recommendation has been implemented, partially implemented, not implemented, or is 
no longer applicable. SEE SECTION III: PRIOR FINANCIAL RECOMMENDATIONS of this report for information 
regarding this part of the recommendation. 
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DEPARTMENT OF PUBLIC 
HEALTH AND 
ENVIRONMENT 


The Department of Public Health and Environment (Department) is 
responsible for protecting and improving the health of the people of 


Colorado and protecting the quality of Colorado’s environment. 
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For Fiscal Year 2020, the Department was appropriated approximately 
$620.4 million and 1,385 full-time equivalent (FTE) staff. 


The following charts show the appropriations by funding source and 
FTE staff by major areas, respectively, within the Department for Fiscal 
Year 2020. 


DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 


CASH FUNDS 
$206.4 


FEDERAL FUNDS 
$301.9 


GENERAL FUNDS 
$62.7 


SQ REAPPROPRIATED FUNDS 
$49.4 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 
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DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT 
FISCAL YEAR 2020 FULL-TIME EQUIVALENT STAFF 


BY MAJOR AREAS 
OFFICE OF EMERGENCY ADMINISTRATION 
PREPAREDNESS AND RESPONSE AND SUPPORT 
HEALTH 35 92 CENTER FOR 
FACILITIES AND HEALTH AND 
EMERGENCY ENVIRONMENTAL 
MEDICAL DATA 
SERVICES 100 
2 LABORATORY 
SERVICES 
88 


PREVENTION 
SERVICES 
DIVISION 

208 


DISEASE CONTROL AIR POLLUTION 


AND CONTROL 
ENVIRONMENTAL DIVISION 
EPIDEMIOLOGY 193 
DIVISION WATER QUALITY 
147 DRON OF CONTROL 
DIVISION 
ENVIRONMENTAL 182 
HEALTH AND HAZARDOUS MATFRIALS AND 
i WASTE MANAGEMENT DIVISION 
116 


SOURCE: Joint Budget Committee Fiscal Year 2020-21 Appropriations Report. 


The following comment was prepared by the public accounting firm of 
BKD, LLP, which performed the Fiscal Year 2020 audit work at the 
Department under contract with the Office of the State Auditor. 


ACCOUNTING 
CONTROLS 


The Department’s Accounting Division staff are responsible for all of the 
Department’s financial reporting, which includes the accurate, complete, 
and timely entry and approval of financial transactions into the Colorado 
Operations and Resource Engine (CORE), the State’s accounting system. 
This responsibility also includes required reporting of various information 
through forms, or exhibits, to the Office of the State Controller (OSC) for 


preparation of the State’s financial statements. 


Accounting Division staff are also specifically tasked with appropriately 
classifying revenues in accordance with the provisions of the Taxpayer’s Bill 
of Rights (TABOR), as well as classifying transactions in accordance with 
Section 24-30-207, C.R.S., which contains the provisions for the State’s 


Cash Funds Uncommitted Reserves. 


Within CORE, accounting transactions are segmented into accounting 
periods throughout the fiscal year. Periods 1 through 12 correspond to 
the activity recorded in the months of the fiscal year (July through June, 
respectively). Periods 13 through 16 are used, as necessary, to record 
any required adjusting entries to correct errors or reclassify 
information, as may be necessary to create the State’s financial 
statements. Specifically, for departmental purposes for Fiscal Year 
2020, Period 13 was closed on August 4, 2020. This date represented 
the OSC’s closing of the State’s “official accounting records” by 35 days 
after fiscal year end, as required by state statute [Section 24-30-204(3), 
C.R.S.]. Period 14 was closed by the OSC for any new transactions on 
August 7, 2020, and represented the final time period for adjustments, 
which are required to be approved by the OSC prior to posting. 


WHAT WAS THE PURPOSE OF OUR 
AUDIT WORK AND WHAT WORK WAS 
PERFORMED? 


The purpose of the audit work was to determine whether the 
Department had adequate internal controls in place and complied with 
policies and procedures related to financial accounting and reporting 


processes and requirements ; 


We analyzed the Department’s CORE transactional data recorded after 
the State’s Fiscal Year 2020 statutory closing date of August 4, 2020, 
to identify the number and dollar amount of transactions that were 
processed after the OSC’s statutory deadline for closing the State’s 
accounting records. We also reviewed the Department’s TABOR- 


related exhibits and variance responses prepared by the Department. In 
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addition, we tested the Department’s portion of the OSC-prepared 
Fiscal Year 2020 Cash Funds Uncommitted Reserves report that was 
approved by the Department. 


HOW WERE THE RESULTS OF THE 
AUDIT WORK MEASURED? 


We measured the results of our audit work against the following: 


State statute [Section 24-30-204(3), C.R.S.] requires the State’s 
official accounting records to be closed no later than 35 days after 
the end of the fiscal year. Specifically, for Fiscal Year 2020, the 
State’s accounting records were required to be closed by August 4, 
2020. As of this date, all departments’ adjusted revenue, 
expenditures, and expense accounts were required to be entered into 
CORE. Any Fiscal Year 2020 entries made after that date were 
required to be approved by the OSC. 


The OSC’s Fiscal Procedures Manual (Manual), Chapter 1, Section 
2.14, Pre-Audit Sensitive Account Codes, states that revenue 
accounts relevant to TABOR reporting “should be carefully 
reviewed for proper classification throughout the year and again 
prior to close.” In addition, the Manual requires departments to 
submit explanations for OSC-selected TABOR variances each year 
to the OSC. The Manual [Chapter 5, Section 5.7] also specifically 
requires departments to prepare and submit an Exhibit A1, Change 
in TABOR Revenue and Base Fiscal Year Spending, to the OSC after 
fiscal year-end whenever an error exceeding $200,000 that occurred 
within the previous 4 fiscal years is identified that affects TABOR 
revenue. The OSC uses the exhibit as a basis for adjusting the 
TABOR calculation used for identifying any potential TABOR 
refunds. Exhibit A1 and the TABOR variance analysis explanations 
were due to the OSC on August 12, 2020, and August 14, 2020, 
respectively, in order for the OSC to meet its September 1, 2020, 
statutory TABOR reporting deadline. 


State statute [Section 24-30-207, C.R.S.] requires the State 
Controller to annually prepare the Cash Funds Uncommitted 
Reserves Report showing the amount of uncommitted reserves 
credited to each of the State’s cash funds. Section 24-75-402(2)(b) 
defines cash funds to mean any fund that is established by law for a 
specific program or purpose and that includes money from fees; 
excluding the state general fund, any federal fund, and any fund used 
by a state institution of higher education. The OSC provided each 
department its respective portion of the Fiscal Year 2020 Cash 
Funds Uncommitted Reserve Report, or Turnaround Report, for 
review; correction, as applicable; approval; and required submission 
back to the OSC by August 14, 2020, in order for the OSC to meet 
its statutorily-required statewide cash funds reporting deadline of 
September 20, 2020. 


WHAT PROBLEMS DID THE AUDIT 
WORK IDENTIFY? 


Overall, we found that the Department lacked processes and procedures 
to meet required financial reporting-related state deadlines for Fiscal 
Year 2020, as follows: 


The Department posted 16 entries totaling $52,796,501, after the 
OSC’s statutory closing deadline of August 4, 2020. Entries were 
required due to errors the Department failed to identify and correct 
through its fiscal year-end review process. These entries included 
adjustments that impacted both TABOR and Cash Funds. 


The Department identified TABOR net adjustments totaling 
$494,621, for Fiscal Years 2016 through 2019, after June 30, 2020, 
but did not submit an Exhibit A1 to the OSC to report the 
adjustments until September 11, 2020, which was 30 days after the 
original due date and 10 days after the OSC’s statutorily-required 
TABOR reporting due date. 
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The Department failed to identify and communicate to the OSC an 
error totaling $842,214 on the Cash Funds Turnaround Report. 
This error required an audit adjusting entry which was not posted 
by the Department until September 10, 2020. This timing was 27 
days after the Department approval of the Turnaround Report was 
due to the OSC. 


WHY DID THESE PROBLEMS OCCUR? 


The Department lacked sufficient internal controls to ensure that it met 
OSC financial reporting deadlines for Fiscal Year 2020. Specifically, the 
Department experienced turnover during Fiscal Year 2020 that required 
existing employees to take on new responsibilities, in addition to fiscal 
year-end close responsibilities within the Accounting Division. The 
Department did not have a clearly outlined plan to distribute and 
delegate responsibilities, as well as provide additional training, as 
applicable. This resulted in the Accounting Division having limited staff 
with the requisite background and training to review and assist with the 
year-end close process. As such, many of the responsibilities to complete 
required fiscal year-end close responsibilities fell to one individual. 


In addition, the Department did not fully comply with its fiscal year- 
end close checklist, including internal preparation and review deadlines 
that ensure OSC deadlines were met. 


WHY DO THESE PROBLEMS MATTER? 


Strong financial accounting internal controls, including effective review 
processes and procedures over financial transactions, are necessary to 
ensure the Department records and reports financial information 
accurately, in a timely manner, and in accordance with rules and 
regulations. Untimely financial reporting can adversely affect the State’s 
financial information and result in the State being out of compliance 


with statutory requirements. 


CLASSIFICATION OF FINDING SIGNIFICANT DEFICIENCY 
THIS FINDING DOES NOT APPLY TO A PRIOR AUDIT RECOMMENDATION 


RECOMMENDATION 
2020-033 


The Department of Public Health and Environment (Department) 


should strengthen its internal controls over fiscal year-end financial 


activities by: 


A 


iss) 


O 


Creating and implementing a staffing plan that clearly assigns roles 
and responsibilities to its Accounting Division staff, including the 


distribution of secondary assignments in the case of staff turnover. 


Cross-training existing employees to allow for appropriate 
segregation of duties and review, and to allow for appropriate 


delegation when turnover occurs. 


Continuing to improve upon and follow a fiscal year-end close 
checklist, which outlines internal deadlines, includes all divisions, 
and allows sufficient time for internal review of Office of the State 
Controller (OSC)-required reports, including the Taxpayer’s Bill of 
Rights (TABOR) variance analyses and the Cash Funds 
Uncommitted Reserves report, in order to ensure all Department and 
OSC deadlines are met. 
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RESPONSE 


DEPARTMENT OF PUBLIC 
HEALTH AND ENVIRONMENT 


A AGREE. IMPLEMENTATION DATE: SEPTEMBER 2021. 


The Department agrees with the importance of the timely and 
accurate recording of financial records and the importance of 
maintaining a proper control environment. While improvement is 
an ongoing goal, the Department continues to make strides as has 
been indicated in prior-year responses. 


Central accounting is currently fully staffed and has been able to 
maintain nearly full staffing levels in recent years. This has allowed 
staff to be delegated new roles and responsibilities, including roles 
and responsibilities during year-end close. Additionally, starting 
with the fiscal year-ended June 30, 2018, central accounting began 
migrating to a "program accountant" model. This model requires 
that each program accountant has responsibility for all accounting 
aspects for their assigned programs. There are a few functions within 
central accounting that still rely on the work of one individual and 
these functions will be addressed through staff cross-training. This 
will ensure proper coverage during times that the unit experiences 
staff turnover or extended leave requests. 


AGREE. IMPLEMENTATION DATE: SEPTEMBER 2021. 


As stated, central accounting has migrated to a "program 
accountant" model. Inherent within this model is the need for each 
program accountant to gain and maintain an understanding of 
multiple accounting concepts. Central accounting performed a 
formalized assessment process to identify accounting concepts that 
needed further reinforcement. Selected central accountants then 
researched those identified accounting concepts, created training 
materials, and presented the information to their peers. 


While staff have been delegated new roles and responsibilities, there 
are a few functions within the accounting unit that still rely on the 
work of one individual and these functions will be addressed 
through staff cross-training. Additionally, central accounting will 
continue conducting targeted trainings to broaden staff’s knowledge 
bases. 


AGREE. IMPLEMENTATION DATE: SEPTEMBER 2021. 


The Department agrees with the importance of ensuring that 
revenues received are recorded appropriately and its role in TABOR 
considerations and the calculation of any excess uncommitted 
reserves. Furthermore, the Department acknowledges that there 
were corrections that were needed after the statutory close deadline. 
Most of these, however, were identified and initiated by the 
Department after consultation with the Office of the State 


Controller, and are generally non-recurring in nature. 


Proper revenue recording is being reiterated throughout the 
Department and will be incorporated within the Department's Fiscal 
Procedures Manual. The Department is also developing interim 
analytic procedures that can be performed prior to fiscal year-end 
close to assist in identifying potential issues earlier in a given fiscal 


year. 


Finally, the Department has developed and utilized a year-end close 
checklist for closing the fiscal years-ended June 30, 2019 and 2020. 
This checklist identifies tasks, due dates, staff assignments, etc. The 
Department continues to refine the checklist to ensure deliverables 
are timely considered for future year-end closing periods. 
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DEPARTMENT OF THE 
TREASURY 


The Department of the Treasury (Treasury) is established by the 
Colorado Constitution. The State Treasurer is an elected official who 
serves a 4-year term. The Treasury’s primary functions are to manage 
the State’s pooled investments and to implement and monitor the State’s 
cash management procedures. Other duties and responsibilities of the 


Treasury include: 
= Receiving, managing, and disbursing the State’s cash. 


= Acting as the State’s banker and investment officer. 


= Managing the State’s Unclaimed Property Program, the Interest-Free 
School Loan Program, the Property Tax Deferral Program for 
Seniors and Veterans, and the Colorado Housing and Finance 


Authority Loan Program. 


= Managing certain state public funding transactions. 


The State’s $9.6 billion of pooled investments are made up of a variety 
of securities, as shown in the following chart: 


COLORADO TREASURY POOL PORTFOLIO MIX 
AS OF JUNE 30, 2020 (IN MILLIONS) 


TREASURIES 
$1,278.5 


OTHER 
$3,135.9 COMMERCIAL PAPER 


$385.0 


m MORTGAGE BACKED 
n $458.0 


FEDERAL AGENCIES 


$227.2 
CORPORATES AND 


MUNICIPAL BONDS 


$3,473.4 ASSET BACKED 


$659.9 


SOURCE: Department of the Treasury records. 
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For Fiscal Year 2020, the Treasury was appropriated approximately 
$861.7 million and 33 full-time equivalent (FTE) staff, with 17 FTE 
allocated to administration and 16 FTE allocated to the Unclaimed 
Property program. The majority of the Treasury’s funding, approximately 
99 percent, was for special purpose programs and the remaining 1 percent 
was for Treasury administration and the Unclaimed Property program. 
The following chart shows Treasury’s appropriations by funding source 
for Fiscal Year 2020. 


DEPARTMENT OF THE TREASURY 
FISCAL YEAR 2020 APPROPRIATIONS 
BY FUNDING SOURCE (IN MILLIONS) 


REAPPROPRIATED 
FUNDS 
$73.9 
CASH FUNDS 9% 
$448.5 


52% 


GENERAL FUNDS 
$339.3 
39% 


SOURCE: Joint Budget Committee Appropriations Report Fiscal Year 2020-21. 


With 17 allotted FTE, Treasury’s Administration Division manages special 


purpose programs, which are summarized in the following chart. 


DEPARTMENT OF THE TREASURY 
FISCAL YEAR 2020 SPECIAL PURPOSE PROGRAMS 
APPROPRIATIONS (IN MILLIONS) 


PERA DIRECT 
SUSTAINABILITY OF DISTRIBUTION 
RURAL COLORADO $225.0 


$75.5 


SENIOR CITIZEN 
AND DISABLED 
VETERAN PROPERTY 
TAX EXEMPTION 


HIGHWAY USERS $140.8 
TAX FUND 
$392.8 
OTHER 
$21.4 


SOURCE: Colorado Senate Bill 19-207 (Fiscal Year 2020 Long Appropriations Act). 
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COMPLIANCE WITH 
COLORADO FUNDS 
MANAGEMENT ACT AND 
THE TAX ANTICIPATION 
NOTE ACT 


The Colorado Funds Management Act (Funds Management Act) under 
Section 24-75-902, C.R.S., asserts that, because the State “currently 
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experiences and may hereafter” experience fluctuations in revenue and 
expenditures, as well as temporary cash flow deficits, this section of the 
statute is necessary, outlining the authority and mechanisms the State 
can use to fund shortfalls. Under Section 24-75-905(1), C.R.S., the State 
Treasurer is specifically authorized to sell Tax and Revenue 
Anticipation Notes (TRANS), short-term notes payable from 
anticipated pledged revenue, to meet these shortfalls. These TRANS are 
referred to as General Fund Tax and Revenue Anticipation Notes 
(General Fund Notes). 


Under Section 29-15-112(1), C.R.S., the Tax Anticipation Note Act also 
specifically authorizes the State Treasurer to issue TRANS for school 
districts. The purpose of these TRANS is to alleviate temporary cash flow 
deficits of school districts by making interest-free loans to those districts. 
These TRANS are referred to as Education Loan Program Tax and 
Revenue Anticipation Notes (ELP Notes). 


Section 24-75-914, C.R.S., requires the Office of the State Auditor to 
review information relating to the General Fund Notes and annually 
report this information to the General Assembly. We have also included 
information about the ELP Notes. The following table and discussion 


provide information about the Treasurer’s issuance of these notes 
during Fiscal Year 2020. 
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STATE OF COLORADO 
DETAILS OF TAX AND REVENUE ANTICIPATION 
NOTE ISSUANCES 
FOR THE FISCAL YEAR ENDED JUNE 30, 2020 
EDUCATION LOAN PROGRAM NOTES 
TOTAL 
GENERAL |EDUCATION LOAN] EDUCATION LOAN] EDUCATION 


FUND NOTES | PROGRAM NOTES | PROGRAM NOTES LOAN 
SERIES 2019 SERIES 2019A SERIES 2019B PROGRAM 


Date of Issuance July 24, 2019 July 18,2019 January 16, 2020 — 
Maturity Date June 26, 2020 June 29, 2020 June 29, 2020 — 
Issue Amount $600,000,000 $400,000,000 $400,000,000 $800,000,000 


Interest $22,317,778 $11,366,667 $6,055,903 $17,422,570 
Denominations $5,000 $5,000 $5,000 — 

Face Interest 4.03% 3.00% 20 = 

Rate 

Premium on Sale $15,821,800 $6,932,000 $4,390,500 $11,322,500 
Net Interest Cost 1.18% 1.18% 0.94% _ 


to the State 
Total Due at 
Maturity 
SOURCE: Department of the Treasury records. 

NOTE: For comparative purposes, in Fiscal Year 2019, the Treasurer issued $600,000,000 in 
General Fund Notes and $635,000,000 in Education Loan Program Notes. 


$622,317,778 $411,366,667 $406,055,903 $817,422,570 


TERMS AND PRICE 


Section 24-75-907(1), C.R.S., states that the General Fund Notes are 
required to mature no later than 3 days prior to the end of the fiscal 
year. Section 29-15-112(5)(b), C.R.S., states that the ELP Notes are 
required to mature on or before August 31 of the fiscal year immediately 
following the fiscal year in which the notes were issued. In addition, if 
the notes have a maturity date after the end of the fiscal year, then on 
or before the final day of the fiscal year in which the ELP Notes are 
issued, there shall be deposited, in one or more special segregated and 
restricted accounts and pledged irrevocably to the payment of the ELP 
Notes, an amount sufficient to pay the principal, premium, if any, and 
interest related to the ELP Notes on their stated maturity date. 


Notes in each series are issued at different face interest rates. These are 
the rates at which interest will be paid on the notes. The average net 
interest cost to the State differs from the face interest rates because the 


notes are sold at a premium, which reduces the net interest cost incurred. 


The maturity dates of the General Fund Notes and the ELP Notes issued 
during Fiscal Year 2020 comply with statutory requirements. Specifically, 
as shown in the previous table, the General Fund Notes had a maturity 
date of June 26, 2020, and both of the ELP Notes had a maturity date of 


June 29, 2020. Neither were subject to redemption prior to maturity. 


SECURITY AND SOURCE OF PAYMENT 


In accordance with the Funds Management Act, principal and interest on 
the General Fund Notes are payable solely from any cash income or other 
cash receipts recorded in the General Fund for Fiscal Year 2020. The 
General Fund’s cash receipts include those that are subject to 
appropriation in Fiscal Year 2020 and any pledged revenue, including 


the following: 


= Revenue not yet recorded in the General Fund at the date the notes 
were issued. 


= Any unexpended note proceeds. 


= Proceeds of internal borrowing from other state funds recorded in 
the General Fund. 


The State Treasurer records monies reserved to pay the principal and 
interest of the General Fund Notes in the Note Payment Account 
(General Fund Account) in the Colorado Operations Resource Engine 
(CORE), the State’s accounting system. The General Fund Notes are 
secured by an exclusive first lien on assets in the General Fund Account. 


The State Treasurer holds custody of the assets in this account. 


According to Section 29-15-112(2)(e)(II), C.R.S., interest on the ELP 
Notes is payable from the General Fund. In accordance with the 
TRANS issuance documents, principal on the ELP Notes was required 
to be paid solely from the receipt of property taxes received by the 
participating school districts during March through June 2020, which 
were to be deposited into the General Fund of each school district. 
Section 29-15-112(4)(a)(I)(A), C.R.S., requires the school districts to 
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make payments for the entire principal on the ELP Notes to the State 
Treasury. Per the TRANS issuance documents, these payments were to 
be made by June 25, 2020. We confirmed that the school districts made 
all payments by June 25, 2020, and the State Treasurer used these funds 
to repay the principal on the ELP Notes. 


In accordance with the TRANS issuance documents, if the balance in 
the ELP Notes Repayment Account (ELP Account) had been less than 
the principal of the ELP Notes at maturity on June 29, 2020, the State 
Treasurer would have been required to deposit an amount sufficient to 
fully fund the ELP Account from any funds on hand that were eligible 
for investment. The State Treasurer’s ability to use the General Fund’s 
current revenues or borrowable resources to fund a deficiency in the 
ELP Account is subordinate to the use of such funds for payment of any 


outstanding General Fund Notes. 


In accordance with the TRANS issuance documents, if the balance in 
the General Fund Account on June 15, 2020, had been less than the 
principal and interest of the General Fund Notes due at maturity, the 
State Treasurer would have been required to deposit all of the General 
Fund’s revenue available at that time into the General Fund Account, 
and borrow from other state funds until the balance met the required 
level. In addition, the State Treasurer would be required to give notice 
of such deficiency to the note’s securities depository and the Municipal 


Securities Rulemaking Board. 


To ensure the payment of the General Fund Notes and ELP Notes, the 
Treasurer agreed to deposit pledged revenue into both the General Fund 
Account and the ELP Account so that the balance on June 15, 2020, 
and June 25, 2020, respectively, would be no less than the amounts to 
be repaid. The note agreements also provide remedies for holders of the 
notes in the event of default. The amounts to be repaid on the maturity 


date are detailed in the previous table. 


We determined that, on June 15, 2020, and June 25, 2020, the account 


balance plus accrued interest earned on investments was sufficient to 


pay the principal and interest on the General Fund and ELP Notes, 


respectively, without borrowing from other state funds. 


LEGAL OPINION 


Sherman & Howard, LLC, and Kutak Rock LLP, bond counsels, have 


stated that, in their opinion: 


= The State has the power to issue the notes and carry out the 
provisions of the note agreements. 


= The General Fund Notes and ELP Notes are legal, binding, secured 
obligations of the State. 


= Interest on the notes is exempt from taxation by the U.S. government 
and by the State of Colorado. 


INVESTMENTS 


The Funds Management Act, the Tax Anticipation Note Act, and the 
General Fund and ELP Notes’ agreements allow the Treasurer to invest 
the General Fund Account and ELP Account funds in eligible investments 
until they are needed for note repayment. Interest amounts earned on the 
investments are credited back to the General Fund, since the General 
Fund pays interest at closing. The State Treasurer is authorized to invest 
the funds in a variety of long- and short-term securities according to 
Section 24-36-113(1), C.R.S. Furthermore, Section 24-75-910, C.R.S., of 
the Funds Management Act and Section 29-15-112(3)(b), C.R.S., of the 
Tax Anticipation Note Act state that the Treasurer may: 


= Invest the proceeds of the notes in any securities that are legal 


investments for the fund from which the notes are payable. 


= Deposit the proceeds in any eligible public depository. 
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PURPOSE OF THE ISSUANCE AND USE 
OF PROCEEDS 


The General Fund Note proceeds were used to alleviate temporary cash 
flow shortfalls and to finance the State’s daily operations in anticipation 
of taxes and other revenue to be received later in Fiscal Year 2020. The 
State Treasurer deposited the proceeds of the sale of the General Fund 
Notes in the State’s General Fund. 


The ELP Notes were issued to fund a portion of the anticipated cash 
flow shortfalls of the school districts during Fiscal Year 2020. The net 
proceeds of the sale of the notes were specifically used to make interest- 
free loans to the school districts in anticipation of the receipt of property 
tax revenue by the individual districts on and after March 1, 2020, and 
up to and including June 25, 2020. 


ADDITIONAL INFORMATION 


The General Fund Notes and the ELP Notes were issued through 
competitive sales. A competitive sale involves a bid process in which 


notes are sold to bidders offering the lowest interest rate. 


The issuance of both types of notes is subject to the Internal Revenue 
Service’s (IRS) arbitrage requirements. In general, arbitrage is defined 
as the difference between the interest earned by investing the note 
proceeds and the interest paid on the borrowing. In addition, if the State 
meets the IRS safe harbor rules, the State is allowed to earn and keep 
this arbitrage amount. The IRS safe harbor rules require the State to 
meet certain spending thresholds related to the note proceeds. For Fiscal 
Year 2020, Treasury reported that the State met the IRS safe harbor 
rules. Treasury further indicated that, although these requirements were 
met, interest earned by investing note proceeds was less than interest 
paid on the borrowing, thus no arbitrage was earned or kept. The 
Treasury is responsible for monitoring compliance with the arbitrage 
requirements to ensure that the State will not be liable for an arbitrage 


rebate. 


STATE EXPENSES 


The State incurred expenses as a result of the issuance and redemption 
of the General Fund and ELP Notes. These expenses totaled 
approximately $677,000. The expenses included the following: 


= Bond legal counsel fees and reimbursement of related expenses 
incurred by the bond counsel. 


= Disclosure counsel fees and expenses. 


= Fees paid to rating agencies for services. 


= Costs of printing and distributing preliminary and final offering 
statements and the actual notes. 


= Fees paid to financial advisors. 


= Redemption costs, consisting of fees and costs paid to agents to 


destroy the redeemed securities. 


SUBSEQUENT EVENTS 


On August 4, 2020, the State issued $410 million in ELP Notes, Series 
2020A, with a maturity date of June 29, 2021. The notes carry an average 
coupon rate of 3.51 percent and were issued with a premium of 
$12.3 million. The total due at maturity includes $410 million in 
principal and $13.0 million in interest. 


On August 6, 2020, the State issued $600 million in General Fund Notes 
with a maturity date of June 25, 2021. The notes carry an average coupon 
rate of 4.00 percent and were issued with a premium of $20.3 million. 
The total due at maturity includes $600 million in principal and 


$21.3 million in interest. 


On January 28, 2021, the State issued $390 million in ELP Notes, Series 
2020B, with a maturity date of June 29, 2021. The notes carry an average 


-171 


YOLIGNV ALV.LS OGVUOTOO AHL AO LUOdAa 


-172 


STATE OF COLORADO STATEWIDE FINANCIAL AUDIT - FISCAL YEAR ENDED JUNE 30, 2020 


coupon rate of 3.0 percent and were issued with a premium of $4.9 
million. The total due at maturity includes $390 million in principal and 


$5.0 million in interest. 


NO RECOMMENDATION IS MADE IN THIS AREA. 


PUBLIC SCHOOL FUND 


The Public School Fund (Fund), created under Section 22-41-101, 
C.R.S., is used for the deposit and investment of proceeds from the sale 
of land granted to the State by the federal government for educational 
purposes, as well as for other monies as provided by law. Interest and 
income earned on the Fund are to be distributed to and expended by 
the State’s school districts for school maintenance. In accordance with 
Section 22-41-104(2), C.R.S., the State Treasurer has the authority to 
“effect exchanges or sales” of investments in the Fund whenever the 
exchanges or sales will not result in the loss of the Fund’s principal. An 
aggregate loss of principal to the Fund occurs only when an exchange 
or sale that resulted in an initial loss of principal is not offset by a gain 


on an exchange or sale in the Fund within 12 months. 


Section 2-3-103(5), C.R.S., requires the Office of the State Auditor to 
annually evaluate the Fund’s investments and to report any loss of the 
Fund’s principal to the Legislative Audit Committee. During our Fiscal 
Year 2020 audit, we obtained confirmations from Wells Fargo Bank on 
the fair value of all investments held in the Fund. We compared the total 
fair value of the Fund’s investments to the book value of the investments 
as recorded in CORE, and noted that the fair value exceeded the book 
value of the investments at June 30, 2020, by approximately $57.0 
million. We did not identify any recognized loss of principal to the Fund 
during Fiscal Year 2020. 


NO RECOMMENDATION IS MADE IN THIS AREA. 


DISPOSITION 


OF PRIOR FINANCIAL AUDIT 
RECOMMENDATIONS 


The following financial audit recommendations are summarized from the 
Statewide Audit for Fiscal Years 2015 through 2019 and include only the 
financial recommendations not fully implemented as of our Fiscal Year 
2019 Statewide Audit. The disposition is the implementation status as of 
June 30, 2020. 


The classification of findings described in SECTION I: REPORT SUMMARY has 
been included throughout the dispositions, as needed. If the disposition is 
implemented, the classification is not applicable; if the disposition references 
a current financial audit recommendation, the classification will be included 
with the current audit finding. All findings classified as significant 
deficiencies or material weaknesses with a disposition of deferred will be 
listed in SECTION II: FINANCIAL STATEMENT FINDINGS following each 
department’s current findings and will include a new recommendation 
number for Fiscal Year 2020. 
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DEPARTMENT OF AGRICULTURE 


RECOMMENDATION 2017-001 


The Colorado State Fair Authority should continue the implementation of the Strategic Business 
Plan for long-term financial stability. This may also include continuing to work with the 
Colorado Department of Agriculture and the Joint Budget Committee to obtain additional 
appropriations in the State Long Bill, seeking new sources and increased contributions to ensure 
continued operations. 

STATUS NOTE: The Authority is continuing to implement its Strategic Business Plan. The 
Authority has improved its cash flow by approximately $4 million since Fiscal Year 2017. The 
Authority plans to fully implement this recommendation by June 30, 2021. 


PARTIALLY IMPLEMENTED 


DEPARTMENT OF CORRECTIONS 


RECOMMENDATION 2019-001 


The Department of Corrections should improve information security controls over the 
IMPLEMENTED Colorado Operations Resource Engine by implementing the recommendation as noted in the 
confidential finding to mitigate the specific problems noted in the confidential finding. 


RECOMMENDATION 2018-002 


The Department of Corrections (Department) should strengthen its internal controls over 
procurement card expenditures by: 


Ensuring that the procurement card administrator is fulfilling the duties and responsibilities 
outlined in the Procurement Card Program Handbook, including compliance reviews, sales tax 
inquiries, and declined transaction inquiries on a monthly basis. 

STATUS NOTE: Implemented in Fiscal Year 2019. 

Providing training to procurement card users and approvers on a timely basis in accordance 
with the Procurement Card Program Handbook. The training should emphasize the importance 


of following the State’s established procedures for review, approval, and maintenance of the 
procurement card statement and detailed receipts. 


A IMPLEMENTED 


B IMPLEMENTED 


Instituting a required, routine process for reviewing all credit limit amounts on procurement 
cards to ensure that amounts are reasonable and appropriate for the needs of the individual 

C IMPLEMENTED cardholder to fulfill their duties and that the Department’s use of procurement cards is within 
policies and intended use. 


STATUS NOTE: Implemented in Fiscal Year 2019. 
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OFFICE OF THE GOVERNOR 


A IMPLEMENTED 


B IMPLEMENTED 


IMPLEMENTED 


A IMPLEMENTED 


B DEFERRED 


PARTIALLY 
IMPLEMENTED 


D NO LONGER APPLICABLE 


PARTIALLY 
IMPLEMENTED 


B IMPLEMENTED 


C IMPLEMENTED 


The Governor’s Office of Economic Development and International Trade (OEDIT) should 
strengthen its internal controls over vendor information management by: 

Establishing and implementing formal written policies and procedures to track and monitor all 
vendor information change request submissions. These should include requiring set protocols 
for staff to follow in order to independently verify the vendor requests. 

Providing adequate training to staff over these policies and procedures, and the Central 
Management Unit’s Electronic Funds Transfer (EFT) form vendor verification guidance, to 
ensure that OEDIT staff are performing an independent source verification for all EFT change 
requests prior to processing payments. 


The Governor’s Office of Information Technology should mitigate the change management 
problems identified in the confidential finding. 


The Governor’s Office of Information Technology should strengthen information security 
controls by: 


Implementing recommendation PART A as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 


Implementing recommendation PART B as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 


STATUS NOTE: OIT plans to fully implement the recommendation by the June 2021 
implementation date. 


Implementing recommendation PART C as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 


STATUS NOTE: See Current Audit Recommendation 2020-004. 


Implementing recommendation PART D as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 


STATUS NOTE: OIT disagreed with this recommendation and did not implement it. 


The Governor’s Office of Information Technology should improve GenTax information 
security controls by: 


Implementing recommendation PART A as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 


STATUS NOTE: See Current Audit Recommendation 2020-006. 

Implementing recommendation PART B as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 

Implementing recommendation PART C as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 
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NOT IMPLEMENTED 


A IMPLEMENTED 


PARTIALLY 
IMPLEMENTED 


C NOT IMPLEMENTED 


A NO LONGER APPLICABLE 


B IMPLEMENTED 


The Governor’s Office of Information Technology (OIT) should improve GenTax information 
security controls and comply with OIT Cyber Policies by configuring the GenTax operating 
system to automatically disable user accounts after 90 days of inactivity. 


STATUS NOTE: See Current Audit Recommendation 2020-006. 


The Governor’s Office of Information Technology should implement information security 
controls over GenTax to ensure compliance with applicable laws, regulations, and policies by: 


Implementing recommendation PART A as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 

Implementing recommendation PART B as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 

STATUS NOTE: See Current Audit Recommendation 2020-007. 

Implementing recommendation PART C as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 

STATUS NOTE: See Current Audit Recommendation 2020-007. 


The Governor’s Office of Information Technology should improve the Colorado Personnel 
Payroll System mainframe information security controls by: 


Implementing recommendation PART A as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 


STATUS NOTE: OIT's Chief Information Security Officer approved a Secure Configuration 
Exception Request, exempting this issue from compliance with Colorado Information Security 
Policies. 


Implementing recommendation PART B as noted in the confidential finding to mitigate the 
specific related problems noted in the confidential finding. 


No LONGER APPLICABLE 


The Office of Information Technology (OIT) should strengthen information security controls 
over the Colorado Personnel Payroll System (CPPS) application by configuring the password 
length in compliance with OIT Cyber Policies or documenting management’s acceptance of the 
risk, and configuring the inactivity time frame. 


STATUS NOTE: OIT's Chief Information Security Officer approved a Secure Configuration 
Exception Request, exempting this issue from compliance with Colorado Information Security 
Policies. 


IMPLEMENTED 


The Governor’s Office of Information Technology should ensure change management controls 
over the Colorado Personnel Payroll System (CPPS) comply with standards and policies, 
including completing change management procedure documentation, and requiring 
documented quarterly access reviews over the CPPS test and production environments, to 
ensure that access is provisioned appropriately. 


IMPLEMENTED 

A IMPLEMENTED 

B IMPLEMENTED 

C IMPLEMENTED 

A IMPLEMENTED 

B IMPLEMENTED 

c PARTIALLY 
IMPLEMENTED 

D NOT IMPLEMENTED 


HI-S 


The Governor’s Office of Information Technology should continue to improve Colorado 
Personnel Payroll System (CPPS) computer operations controls and processes by working with 
key business and information system leaders to review and approve the CPPS disaster recovery 
plan, in accordance with the Colorado Information Security Policy requirements. 


The Governor’s Office of Information Technology should improve information technology 
controls related to system interfaces by: 


Developing, documenting, and implementing interface procedures for GenTax. 


Developing, documenting, and implementing interface procedures for the Colorado Operations 
Resource Engine’s interface server. 


Training staff on the appropriate interface procedures once developed as recommended in 
PARTS A and B. 


The Governor’s Office of Information Technology (OIT) should ensure physical security over 
the State’s main data center by: 


Establishing formalized access management processes to mitigate the specific related problems 
noted in the confidential finding. 


Ensuring compliance with Colorado Information Security Policies, OIT Cyber Policies, and 
OIT’s data center standard operating procedures, related to physical access management. 
STATUS NOTE: Implemented in Fiscal Year 2019. 

Establishing formalized policies, procedures and written agreements over physical access to 
mitigate the specific related problems noted in the confidential finding. 

STATUS NOTE: See Current Audit Recommendation 2020-008. 


Establishing formalized policies, procedures and written agreements over physical access to 
mitigate the specific related problems noted in the confidential finding. 


STATUS NOTE: See Current Audit Recommendation 2020-008. 


HI-6 


A DEFERRED 


B DEFERRED 


PARTIALLY 
IMPLEMENTED 


D DEFERRED 


No LONGER APPLICABLE 


A IMPLEMENTED 


B IMPLEMENTED 


C IMPLEMENTED 


The Governor’s Office of Information Technology (OIT) should work with the Department of 
Labor and Employment to improve information security controls over the Colorado 
Unemployment Benefits System (CUBS), the Colorado Automated Tax System (CATS), and the 
Colorado Labor and Employment Accounting Resource (CLEAR), and to comply with 
Colorado Information Security Policies, OIT Cyber Policies, and IRS Publication 1075, as 
applicable, by: 

Mitigating the information security problem noted in the confidential finding PART A. 

STATUS NOTE: OIT plans to fully implement this recommendation by the August 2020 
implementation date. 


Mitigating the information security problem noted in the confidential finding PART B. 

STATUS NOTE: OIT plans to fully implement this recommendation by the September 2020 
implementation date. 

Mitigating the information security problem noted in the confidential finding PART C. 

STATUS NOTE: OIT plans to fully implement this recommendation by October 2020. 
Mitigating the information security problem noted in the confidential finding PART D. 


STATUS NOTE: OIT plans to fully implement this recommendation by the June 2021 
implementation date. 


The Governor’s Office of Information Technology should strengthen information security 
controls over the Driver License, Record, Identification, and Vehicle Enterprise Solution 
(DRIVES) system by mitigating the information security problems noted in the confidential 
finding. 

STATUS NOTE: OIT disagreed with this recommendation and did not implement it. 


The Governor’s Office of Information Technology should improve oversight of CGI, as the 
CORE application’s third-party service provider, to ensure compliance with the Colorado 
Information Security Policies (Security Policy or Policies) by: 


Amending the CGI contract as necessary to clearly and unambiguously state that the contractor 
is required to comply with all current and future updated State of Colorado Information 
Security Policies. 

STATUS NOTE: Implemented in Fiscal Year 2017. 


Ensuring it has a process and effective mechanism in place to assess CGI for compliance with 
the CISPs including ensuring that CGI’s policies and procedures for CORE comply with the 
Security Policies. 


Amending the CGI contract as necessary to assign DPA/OSC primary responsibility for contract 
oversight, while stipulating that OIT should continue to ensure compliance with the Security 
Policies. 


STATUS NOTE: Implemented in Fiscal Year 2019. 


HI-7 


Once the Unemployment Insurance Modernization project is implemented and operational, the 
Governor’s Office of Information Technology (OIT) should ensure that logging, monitoring, 
and reporting capabilities are in place; logs are reviewed and analyzed for inappropriate activity; 

NOT IMPLEMENTED and audit records are retained in accordance with applicable security requirements as agreed 
upon with the Department of Labor and Employment and in compliance with Colorado 
Information Security and OIT Cyber Policies. 


STATUS NOTE: OIT plans to fully implement this recommendation by October 2020. 


The Governor’s Office of Information Technology (OIT) should improve information 
technology service agreement controls by 


Formalizing an agreement with the State Internet Portal Authority (SIPA) to ensure that SIPA 
complies with Colorado Information Security Policies, includes provisions required by OIT’s 
vendor management policy and other applicable legal and regulatory information security 
requirements, and requires OIT’s review and approval of any contract initiated by an Executive 
Branch agency for IT services provided by SIPA. This could be accomplished through a master 
agreement to ensure coverage of all state contracts 


A IMPLEMENTED 


Instituting an effective mechanism to track vendor agreements with SIPA. 
STATUS NOTE: Implemented in Fiscal Year 2016. 


Communicating with Executive Branch agencies OIT’s responsibility to review and approve all 
C IMPLEMENTED SIPA contracts, in the event a formalized agreement is not put in place, as described in Part A. 


STATUS NOTE: Implemented in Fiscal Year 2017. 


Updating all existing and future information technology service contracts between Executive 
Branch agencies and SIPA, as applicable, to comply with Colorado Information Security Policies 

D IMPLEMENTED and include the provisions required by the OIT’s vendor management policy and other 
applicable legal and regulatory information security requirements, in the event that a formalized 
agreement is not put in place, as described in PART A. 


B IMPLEMENTED 


The Governor’s Office of Information Technology (OIT) should work with the Department of 
Labor and Employment to improve internal controls over the Colorado Unemployment Benefits 
System (CUBS), Colorado Automated Tax System (CATS), and the Colorado Labor and 
Employment Applicant Resource (CLEAR) by: 


Developing and establishing adequate processes to comply with Security and OIT Cyber 
Policies, and IRS Publication 1075. 
PARTIALLY STATUS NOTE: The Department has worked with OIT to resolve certain information security 
IMPLEMENTED internal control problems identified in the confidential finding. Both the Department and OIT 
continue to further strengthen processes, as they work through the final implementation of the 
modernization project expected to be completed in October 2020. 
Reconfiguring system settings and refining practices to mitigate the specific problems noted in 
B  NOLONGER APPLICABLE the confidential finding related to account management. 


STATUS NOTE: Included as part of Fiscal Year 2019 Recommendation 2019-027. 


HI-§ 


DEPARTMENT OF HEALTH CARE POLICY AND FINANCING 


RECOMMENDATION 2019-052 


The Department of Health Care Policy and Financing should improve controls over its financial 
reporting by: 
Working with its service organization, DXC Technology Services, LLC, to ensure that Colorado 
A IMPLEMENTED interChange SOC 1, Type II reports clearly state the system components and controls that are 
in scope, such as database change management and database backup and recovery controls. 
Developing, documenting, implementing, and communicating a process for conducting reviews 
of the SOC 1, Type II reports, to ensure that all appropriate database internal controls 
B NOT IMPLEMENTED impacting financial reporting are identified by the service organization, tested for effectiveness, 
and opined on by the service auditor in its SOC 1, Type II report. 


STATUS NOTE: See Current Audit Recommendation 2020-014. 


DEPARTMENT OF HIGHER EDUCATION - ADAMS STATE UNIVERSITY 


RECOMMENDATION 2019-014 


Adams State University should continue to improve its internal controls over financial activities 


by: 
Ensuring effective supervisory review and approval procedures are in place for year-end 
a PARTIALLY accounting and reporting processes. 
IMPLEMENTED - 
STATUS NOTE: See Current Audit Recommendation 2020-015 
Enhancing fiscal year-end training for staff over the effective implementation and performance 
of internal control procedures to include the importance of properly designed controls over 
PARTIALLY 


B financial activities, and appropriate and timely completion of fiscal year-end exhibits to the 
IMPLEMENTED Office of the State Controller. 


STATUS NOTE: See Current Audit Recommendation 2020-015. 


DEPARTMENT OF HIGHER EDUCATION - HISTORY COLORADO 


RECOMMENDATION 2019-015 


History Colorado should improve its internal controls over the recording of capital assets and 

depreciation by: 

Establishing and implementing well-defined policies and procedures over capital assets, 

including specific requirements noted in the Office of the State Controller’s (OSC) Fiscal 
A IMPLEMENTED Procedures Manual (Manual) and the State Fiscal Rules. At a minimum, these procedures 

should detail the process for recording, modifying, and tracking capital assets in the Colorado 

Operations Resource Engine’s (CORE) capital asset module. 


Implementing a required detailed review of History Colorado’s depreciation entries for 


B IMPLEMENTED : pie : A 
accuracy, as well as the recording, modifying, and tracking of capital assets. 


Providing staff training on CORE, State Fiscal Rules, and the OSC’s Manual, as well as History 


2) eee Colorado’s updated policies and procedures. 


HI-9 


A IMPLEMENTED 


B IMPLEMENTED 


C IMPLEMENTED 


A IMPLEMENTED 


B IMPLEMENTED 


C IMPLEMENTED 


D IMPLEMENTED 


History Colorado should improve its internal controls over its payroll processes by: 


Updating its existing policies and procedures to include all necessary responsibilities required 
by State Fiscal Rules and the Office of the State Controller (OSC), as well as all History 
Colorado payroll processes not currently included in the documented policies. In addition, the 
updated policies and procedures should include requirements to document and maintain 
evidence of any reviews that are performed, as well as the timeframe in which those reviews 
should be performed. 


Ensuring that representations made to the OSC are accurate and supported by the maintenance 
of appropriate documentation. 


Providing adequate training to staff over the performance of payroll processes and internal 
control procedures, including training on requirements for payroll outlined in History 
Colorado’s policies and procedures, as updated; the OSC’s Fiscal Procedures Manual; and State 
Fiscal Rules. 


History Colorado should improve its internal controls over financial reporting by: 


Developing and implementing policies and procedures for preparing and reviewing fiscal year- 
end accounting activities, including History Colorado’s exhibits and all necessary 
responsibilities required by State Fiscal Rules and the Office of the State Controller. 

Instituting a fiscal year-end variance analysis process, including requiring History Colorado 
staff to compare current year financial information to the prior fiscal year to identify potential 
misstatements. 


Adequately training staff on History Colorado’s new policies and procedures for preparing and 
reviewing exhibits. 


Ensuring a consistent and timely supervisory review process is in place over accounting 
activities, including fiscal year-end processes. 


DEPARTMENT OF HIGHER EDUCATION - METROPOLITAN STATE UNIVERSITY OF DENVER 


PARTIALLY 
IMPLEMENTED 


B IMPLEMENTED 


IMPLEMENTED 


Metropolitan State University of Denver should improve its information security controls over 
Banner by: 


Mitigating the information security problem noted in the confidential finding PART A. 


STATUS NOTE: Metropolitan State University of Denver has established informal controls 
related to user access and plans to formalize the controls around user access rights review in 
order to fully implement by November 2020. 


Mitigating the information security problem noted in the confidential finding PART B. 


Metropolitan State University of Denver should improve its change management IT controls by 
mitigating the change management problem noted in the confidential finding. 
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IMPLEMENTED 


A IMPLEMENTED 


B PARTIALLY 
IMPLEMENTED 


Metropolitan State University of Denver should improve IT operations controls by mitigating 
the computer operations problems noted in the confidential finding. 


Metropolitan State University of Denver should improve internal controls over computer 
operations by ensuring that it has the necessary staff to: 


Prioritize the mitigation of the specific problem noted in the confidential finding PART A. 
STATUS NOTE: Implemented in Fiscal Year 2019. 
Mitigate the specific problem noted in the confidential finding PART B. 


STATUS NOTE: Metropolitan State University of Denver partially implemented this prior audit 
recommendation in Fiscal Year 2019 and plans to fully implement this recommendation by 
December 2020. 


DEPARTMENT OF HIGHER EDUCATION - UNIVERSITY OF NORTHERN COLORADO 


A IMPLEMENTED 
B IMPLEMENTED 


The University of Northern Colorado should improve IT controls to safeguard information 
contained in the Colorado Operations Resource Engine (CORE) and the Banner System by: 


Mitigating the information security problem noted in confidential finding PART A. 
Mitigating the information security problem noted in confidential finding PART B. 


DEPARTMENT OF HUMAN SERVICES 


A IMPLEMENTED 
B IMPLEMENTED 


PARTIALLY 
IMPLEMENTED 


The Department of Human Services should improve IT controls over the Electronic Benefits 
Transfer System by: 


Mitigating the information security problems noted in PART A of the confidential finding. 
Mitigating the information security problems noted in PART B of the confidential finding. 
Mitigating the information security problems noted in PART C of the confidential finding. 


STATUS NOTE: While the Department implemented certain information security controls to 
mitigate the problems noted in PART C of the confidential finding, these controls were not in 
place by the end of Fiscal Year 2020. The Department plans to implement this recommendation 
by July 2020. 


M-11 


RECOMMENDATION 2019-023 


The Department of Human Services should improve its internal controls over payroll by: 


Enforcing the Department’s policy requiring that employees certify and supervisors approve 
timesheets within the timeframes specified in the Certified Timesheet Guidelines. 


STATUS NOTE: The Department plans to implement this recommendation by the July 2020 
implementation date. 


A DEFERRED 


Implementing a process for tracking employees’ and supervisors’ completion of payroll-related 
training and for following up to ensure training completion, as applicable. 


STATUS NOTE: The Department plans to implement this recommendation by the July 2020 
implementation date. 


B DEFERRED 


Creating and implementing a periodic review process to ensure that unit timekeepers maintain 
all signed and certified timesheets according to the guidelines. 


STATUS NOTE: The Department plans to implement this recommendation by the July 2020 
implementation date. 


C DEFERRED 


RECOMMENDATION 2018-062 


The Department of Human Services should work with the Governor’s Office of Information 
Technology to strengthen information technology general controls over the Childcare 
Automated Tracking System (CHATS) by: 


Implementing procedures to ensure sufficient account management internal controls are in place 
to address the problems identified in the detailed confidential finding. 


A NOLONGER APPLICABLE STATUS NOTE: OIT’s Chief Information Security Officer approved a Secure Configuration 
Exception Request, exempting this issue from compliance with Colorado Information Security 
Policies. 


Developing and communicating account management policies and procedures to address the 
B IMPLEMENTED problems identified in the detailed confidential finding. 


STATUS NOTE: Implemented in Fiscal Year 2019. 


Ensuring that the account management problems noted in the detailed confidential finding are 
C IMPLEMENTED addressed in the CHATS modernization project when the new system is implemented. 


STATUS NOTE: Implemented in Fiscal Year 2019. 


JUDICIAL BRANCH 


RECOMMENDATION 2019-024 


The Judicial Branch should improve internal controls over financial accounting reporting and 
exhibit review and submission by: 


Implementing a documented review of all exhibits to be submitted to the Office of the State 
A IMPLEMENTED Controller (OSC) by a person who is not the preparer of the exhibit and ensuring that all staff 
involved in the preparation and review process are aware of the OSC submission requirements. 


Establishing a clear backup to the key review controls in the exhibit review process, so that in 


B IMPLEMENTED ; : 
the event of turnover the control will continue to operate. 
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RECOMMENDATION 2019-025 


A IMPLEMENTED 
B IMPLEMENTED 


The Judicial Branch should improve its information security controls over the Colorado 
Operations Resource Engine by: 


Mitigating the information security problem noted in confidential finding PART A. 
Mitigating the information security problem noted in confidential finding PART B. 


DEPARTMENT OF LABOR AND EMPLOYMENT 


RECOMMENDATION 2019-026 


A DEFERRED 


B DEFERRED 


C DEFERRED 


D DEFERRED 


The Department of Labor and Employment should work with the Governor’s Office of 
Information Technology (OIT) and the Colorado Labor and Employment Applicant Resource 
(CLEAR) vendor, as applicable, to improve information security controls over the Colorado 
Unemployment Benefits System, the Colorado Automated Tax System, and the CLEAR 
systems, and to comply with Colorado Information Security Policies, OIT Cyber Policies, and 
IRS Publication 1075, as applicable, by: 

Mitigating the information security problems noted in PART A of the confidential finding. 
STATUS NOTE: The Department plans to fully implement this recommendation by the August 
2020 implementation date. 

Mitigating the information security problems noted in PART B of the confidential finding. 
STATUS NOTE: The Department plans to fully implement this recommendation by the September 
2020 implementation date. 

Mitigating the information security problems noted in PART C of the confidential finding. 
STATUS NOTE: The Department plans to fully implement this recommendation by the June 2021 
implementation date. 

Mitigating the information security problems noted in PART D of the confidential finding. 


STATUS NOTE: The Department plans to fully implement this recommendation by the September 
2020 implementation date. 


RECOMMENDATION 2019-028 AND 2018-023 


A IMPLEMENTED 


B NOT IMPLEMENTED 


C NOT IMPLEMENTED 


The Department of Labor and Employment should work with the Governor’s Office of 
Information Technology and the Colorado Labor and Employment Applicant Resource 
(CLEAR) vendor, as applicable, to: 

Implement appropriate procedures to mitigate the specific problems noted in the confidential 
finding PART A. 


STATUS NOTE: Implemented in Fiscal Year 2019 


Implement appropriate procedures to mitigate the specific problems noted in the confidential 
finding PART B. 

STATUS NOTE: The Department plans to fully implement this recommendation by September 
2020. 

Hold the CLEAR vendor accountable for contract provisions to ensure they are complying with 
Colorado Information Security Policies. 


STATUS NOTE: The Department plans to fully implement this recommendation by September 
2020. 
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NOT IMPLEMENTED 


The Colorado Department of Labor and Employment should work with the Governor’s Office 
of Information Technology to ensure compliance with Colorado Information Security Policies 
and improve information technology general controls over the Colorado Unemployment 
Benefits System and Colorado Automated Tax System by: Ensuring that audit logging is 
designed, built, implemented, and operational as part of the Unemployment Insurance 
Modernization project. 


STATUS NOTE: The Department plans to fully implement this recommendation by October 
2020. 


PARTIALLY 
IMPLEMENTED 


B IMPLEMENTED 


C NO LONGER APPLICABLE 


D NO LONGER APPLICABLE 


E NOT IMPLEMENTED 


The Department of Labor and Employment (Department) should work with the Governor’s 
Office of Information Technology (OIT), and the CLEAR vendor, as applicable, to improve 
internal controls over the Colorado Unemployment Benefits System (CUBS), Colorado 
Automated Tax System (CATS), and the Colorado Labor and Employment Applicant Resource 
(CLEAR) by: 

Developing and establishing adequate processes to comply with Security and OIT Cyber Policies 
and IRS Publication 1075, as applicable. 

STATUS NOTE: The Department has worked with OIT to resolve certain information security 
internal control problems identified in the confidential finding. Both the Department and OIT 
continue to further strengthen processes as they work through the final implementation of the 
modernization project expected to be completed in October 2020. 

Implementing appropriate procedures to mitigate the specific problems noted in the confidential 
finding related to safeguarding data backups. 


STATUS NOTE: Implemented in Fiscal Year 2018. 

Reconfiguring system settings and refining practices to mitigate the specific problems noted in 
the confidential finding related to account management. 

STATUS NOTE: Included as part of Fiscal Year 2019 Recommendation 2019-027. 
Implementing appropriate procedures to mitigate the specific problems noted in the confidential 
finding relating to CLEAR system event logs. 

STATUS NOTE: Included as part of Fiscal Year 2019 Recommendation 2019-026. 

Ensuring that these issues are addressed in the Unemployment Insurance systems modernization 
project. 


STATUS NOTE: The Department has worked with OIT to resolve certain information security 
internal control problems identified in the confidential finding. Both the Department and OIT 
continue to further strengthen processes as they work through the final implementation of the 
modernization project expected to be completed in October 2020. 
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DEPARTMENT OF MILITARY AND VETERANS AFFAIRS 


RECOMMENDATION 2019-029 


The Department of Military and Veterans Affairs should improve IT controls and safeguard 
information contained in the Colorado Operations Resource Engine system by: 


Mitigating the information security problems identified in the confidential recommendation 


A IMPLEMENTED PART A. 


Mitigating the information security problems identified in the confidential recommendation 


B IMPLEMENTED PARTB. 


HI-15 


DEPARTMENT OF PERSONNEL & ADMINISTRATION 


RECOMMENDATION 2019-030 
STATUS RECOMMENDATION TEXT 


The Department of Personnel & Administration’s Office of the State Controller (OSC) should 
strengthen its internal controls over financial reporting to ensure that the OSC’s fiscal year-end 
accounting processes result in compliance with statutes and that the State’s Financial Statements 
provided to decision makers are accurate, complete, and prepared in accordance with generally 
accepted accounting principles (GAAP). This should include the following: 


Analyzing and reviewing historical transactions posted after the statutory close-date in detail to 
gain an understanding of whether the transactions should be posted by the statutory close and 
A DEFERRED department close to be compliant with statutory requirements. 


STATUS NOTE: The Department plans to fully implement the recommendation by the December 
2020 implementation date. 


Applying the analysis from Part A to define, document, and communicate to departments and 
institutions of higher education the specific types of transactions that must be made within 35 
days of fiscal year-end in order for the OSC to comply with the statutory close and department 

B DEFERRED close, and holding departments and institutions of higher education accountable for meeting 
related deadlines. 


STATUS NOTE: The Department plans to fully implement the recommendation by the December 
2020 implementation date. 


Reevaluating the accounting deadlines and adjusting them as necessary in order to meet the 
GAAP requirements for the Financial Statements. This should include resolving delays caused 
by the labor allocation process and/or implementing a plan to change or address the issues with 


C DEFERRED the current labor allocation process. 


STATUS NOTE: The Department plans to fully implement the recommendation by the December 
2022 implementation date. 


Formalizing and expanding the OSC’s existing policies and procedures over Exhibit Js for 
inclusion in the Financial Statements. The policies and procedures should include sufficient 
details on the OSC’s processes related to: 


i. Specific review procedures that should be performed to ensure that the 
exhibits are reasonable and completed in accordance with the OSC’s 

D DEFERRED Instructions for Exhibits. 
ii. Making timely adjustments identified through the reviews to the Financial 


Statements prior to submitting them to the Governor and General Assembly. 
iii. | Obtaining revised exhibits. 

STATUS NOTE: The Department plans to fully implement the recommendation by the December 

2020 implementation date. 

Strengthening the OSC’s existing policies and procedures for preparing and reviewing the State’s 

Financial Statements and Annual Report. The changes should include procedures for reviews 
E NOT IMPLEMENTED to be sufficiently detailed to allow for significant issues, such as those identified in the audit, to 

be detected and corrected. 

STATUS NOTE: See Current Audit Recommendation 2020-028. 


CLASSIFICATION: MATERIAL WEAKNESS 


HI-16 


PARTIALLY 
IMPLEMENTED 


B IMPLEMENTED 


The Department of Personnel & Administration’s Office of the State Controller (OSC) should 
strengthen its internal controls and reporting of prior period adjustments by: 


Requiring departments and institutions of higher education to track all prior period adjustments 
made during the fiscal year and to report them to the OSC at fiscal year-end. This should include 
revising the Fiscal Procedures Manual and the Exhibit PPA, Prior Period Adjustments, to 
eliminate the allowance for a qualification. 


STATUS NOTE: The OSC revised the Fiscal Procedures Manual and the Exhibit PPA. They also 
required departments to track and report prior period adjustments made during the fiscal year 
and report them to the OSC. However, the OSC did not require Institutions of Higher 
Education to track and report prior period adjustments. The OSC plans to fully implement this 
part of the recommendation by June 2021. 


Revising the Exhibit A1, Changes in TABOR Revenue and Base Fiscal Year Spending, and 
related instructions to eliminate the inconsistent guidance regarding corrections to prior year 
recorded Taxpayer’s Bill of Rights (TABOR) revenue to require reporting of all prior period 
adjustments affecting TABOR revenue, regardless of dollar amount. 


A DEFERRED 


B DEFERRED 


C DEFERRED 


The Department of Personnel & Administration’s Office of the State Controller (OSC) should 
continue to improve internal controls related to the American Institute of Certified Public 
Accountants’ Statement on Standards for Attestation Engagements 18 — System and 
Organization Controls 1, Type II reports (SOC Reports) by: 


Creating and implementing policies and procedures around performing risk assessment and 
planning related to the State’s IT systems to determine which systems are critical to the State’s 
Comprehensive Annual Financial Report, which systems require SOC Reports, and tracking 
SOC Report opinions. 


STATUS NOTE: The Department plans to fully implement the recommendation by the December 
2020 implementation date. 


Providing contract template information for SOC Reports related to financial reporting. The 
OSC should review contracts that may require SOC Reports and determine how to proceed 
with the contract. 


STATUS NOTE: The Department plans to fully implement the recommendation by the December 
2020 implementation date. 


Ensuring that the OSC’s Fiscal Procedures Manual contains sufficient guidance and clear 
responsibilities on SOC Reports related to financial reporting, specifically including department 
responsibilities related to SOC Reports, and department responsibilities to review and 
implement complementary user entity controls. 


STATUS NOTE: The Department plans to fully implement the recommendation by the December 
2020 implementation date. 


DEFERRED 


I-17 


The Department of Personnel & Administration’s Office of the State Controller (OSC) should 
improve its processes and review related to the implementation of Government Accounting 
Standards Board (GASB) statements and implementation guides by ensuring that its analyses 
include specific anticipated impacts and approaches to the OSC’s financial reporting processes 
for implementing each GASB statement and implementation guide. 


STATUS NOTE: The Department plans to fully implement the recommendation by the September 
2020 implementation date. 


IMPLEMENTED 


The Department of Personnel & Administration’s Office of the State Controller should ensure 
that it meets statutory requirements by continuing to work with the Attorney General’s Office 
to obtain an interpretation of the pay-date shift statute and how it relates to the State’s 
institutions of higher education, and to then provide appropriate direction to the institutions of 
higher education regarding the pay-date shift. 


PARTIALLY IMPLEMENTED 


B IMPLEMENTED 


The Office of the State Controller should strengthen information technology controls over the 
Colorado Operations Resource Engine system by working with CGI to ensure that the System 
and Organization Controls 1, Type II report covers appropriate database layer controls relevant 
to financial reporting. 


STATUS NOTE: See Current Audit Recommendation 2020-029. 


The Department of Personnel & Administration’s Office of the State Controller (OSC) should 
strengthen its internal controls over pension and other postemployment benefit reporting by: 


Updating and implementing its documented policies and procedures related to financial 
statement reporting and note disclosures required by GASB Statement No. 68, Accounting and 
Financial Reporting for Pensions (GASB 68), and GASB Statement No. 75, Accounting and 
Financial Reporting for Postemployment Benefits Other Than Pensions (GASB 75), to include 
sufficient details related to the preparation and supervisory review of the note disclosures and 
supporting documentation to ensure that all elements agree to the underlying accounting 
records and that financial reporting meets statutory and generally accepted accounting 
principles requirements. 


STATUS NOTE: The Office of the State Controller (OSC) implemented updated documented 
policies and procedures related to pension and Other Post Employment Benefit financial 
statement reporting and note disclosures. However, we continued to identify some issues with 
the OSC's reporting, including missing note disclosures, amounts that did not agree to the 
underlying support, and various calculation errors that were not identified by OSC's staff. The 
OSC plans to fully this part of the recommendation by September 2021. 

Establishing and implementing a process to obtain information from the State’s higher 
education institutions on all types of pension and other postemployment benefit plans offered 
by the institutions. The OSC should compile this information, document its analysis, and 
include the appropriate disclosures for GASBs 68 and 75 in its financial statements. 


STATUS NOTE: Implemented in Fiscal Year 2019. 
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DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT 


RECOMMENDATION 2019-036 


The Department of Public Health and Environment should strengthen its internal controls over 

financial reporting by: 

Implementing a process requiring sufficient reviews of information used for calculating Office 
A IMPLEMENTED of the State Controller exhibits, including information used to calculate and report pollution 

remediation liabilities. 


Ensuring Accounting Division staff are sufficiently trained on Department accounting-related 
policies, including those related to pollution remediation obligations. 


DEPARTMENT OF REVENUE 


RECOMMENDATION 2019-037 


The Department of Revenue should improve information security controls for the Driver 
License, Record, Identification, and Vehicle Enterprise Solution (DRIVES) system by: 


A IMPLEMENTED Mitigating the information security problems noted in PART A of the confidential finding. 
B IMPLEMENTED Mitigating the information security problems noted in PART B of the confidential finding. 


B IMPLEMENTED 


RECOMMENDATION 2019-039 


The Department of Revenue should improve oversight of vendor contract compliance and 
develop a mechanism to hold staff accountable for monitoring and enforcing contract 
provisions by formalizing a process to ensure FAST Enterprises (FAST) has implemented 
mitigating controls to address those Colorado Information Security Policies that FAST is unable 
to fully implement, and by initiating discussions with the Governor's Office of Information 
Technology to document management's acceptance of the risk. 


DEPARTMENT OF TRANSPORTATION 


RECOMMENDATION 2019-040 


The Colorado Bridge Enterprise (CBE) should improve its internal controls over adjusting 
accounting entries by: 


IMPLEMENTED 


Implementing additional levels of review over recorded journal entries and its annual financial 
A IMPLEMENTED statements. If CBE does not have the capacity within its employees, CBE should request 
assistance from Colorado Department of Transportation’s accounting personnel. 


Providing additional training to CBE personnel, including those who work outside of the 
Accounting and Finance Division, on the importance of maintaining proper codes for projects 
and the effects of a change in a projects code between that of a capital project and a project that 
is expensed. 
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DIANNE E. RAY, CPA 
STATE AUDITOR 


INDEPENDENT AUDITOR’S REPORT ON INTERNAL CONTROL 
OVER FINANCIAL REPORTING AND ON COMPLIANCE AND OTHER MATTERS 
BASED ON AN AUDIT OF FINANCIAL STATEMENTS PERFORMED 
IN ACCORDANCE WITH GOVERNMENT AUDITING STANDARDS 


Members of the Legislative Audit Committee: 


We were engaged to audit, in accordance with the auditing standards generally accepted in the 
United States of America and the standards applicable to financial audits contained in Government 
Auditing Standards issued by the Comptroller General of the United States, the financial 
statements of the governmental activities, the business-type activities, the aggregate discretely 
presented component units, each major fund, and the aggregate remaining fund information of the 
State of Colorado (State), as of and for the year ended June 30, 2020, and the related notes to the 
financial statements, which collectively comprise the State’s basic financial statements and have 
issued our report thereon dated March 5, 2021. We have also audited the State’s budgetary 
comparison schedule-general fund component and the related note for the year ended June 30, 
2020, and have issued our report thereon dated March 5, 2021. Our report disclaims an opinion on 


the Unemployment Insurance Fund and Business Type Activities for the following basis: 


The State of Colorado did not have an adequate methodology to substantiate the estimated amount 
of receivables and payables within the Unemployment Insurance Fund of $510 million and $872 
million, respectively, as of June 30, 2020. The receivable balance includes potential overpayments 
and comprises 54% of total assets of the Unemployment Insurance Fund, and 3% of Business- 
Type Activities. The payable balance includes potential claims outstanding at year-end and 
comprises 92% of total liabilities of the Unemployment Insurance Fund and 7% of the Business- 
Type Activities. As of June 30, 2020, and as of the date of this report, a significant backlog of 
unprocessed and unadjudicated unemployment insurance claims existed which may represent 


overpayments due to errors and/or fraud. The State’s records do not permit us, nor is it practical to 
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extend or apply other auditing procedures, to obtain sufficient appropriate audit evidence 
to conclude that the receivable and payable balances in the Unemployment Insurance Fund 
and Business-Type Activities were free of material misstatement. As a result of these matters, we 
were unable to determine whether further audit adjustments may have been necessary in respect 
to the elements making up the statements of net position, statement of activities, the 
statement of revenues, expenses and changes in fund net position for proprietary funds, or the 


statement of cash flows for proprietary funds. 


Our report includes a reference to other auditors who audited the financial statements of the 
discretely presented component units and a blended component unit, as described in our report 
on the State of Colorado’s financial statements. This report does not include the results of the 
other auditor’s testing of internal control over financial reporting and compliance and other 
matters that are reported on separately by those other auditors. The financial statements of the 
University of Colorado Foundation, the Statewide Internet Portal Authority, and the Denver 
Metropolitan Major League Stadium District, which are discretely presented component units, 
were audited in accordance with auditing standards generally accepted in the United States, 


but were not audited in accordance with Government Auditing Standards. 


INTERNAL CONTROL OVER FINANCIAL REPORTING 


In connection with our engagement to audit the financial statements of the State, we 
considered the State’s internal control over financial reporting (internal control) as a basis 
for designing audit procedures that are appropriate in the circumstances for the purpose of 
expressing our opinions on the financial statements, but not for the purpose of expressing 
an opinion on the effectiveness of the State’s internal control. Accordingly, we do not 
express an opinion on the effectiveness of the State’s internal control. 


Our consideration of internal control was for the limited purpose described in the preceding 
paragraph and was not designed to identify all deficiencies in internal control that might be 
material weaknesses or significant deficiencies and therefore, material weaknesses or 
significant deficiencies may exist that have not been identified. However, as described in the 
accompanying Schedule of Findings, we did identify certain deficiencies in internal control 
that we consider to be material weaknesses and significant deficiencies. 


A deficiency in internal control exists when the design or operation of a control does not allow 
management or employees, in the normal course of performing their assigned functions, to 


prevent, or detect and correct, misstatements on a timely basis. A material weakness is a 
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deficiency, or a combination of deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity’s financial statements will not 
be prevented, or detected and corrected, on a timely basis. We consider the deficiencies 
described in the accompanying Schedule of Findings as RECOMMENDATIONS 2020-003, 004, 
010, 012, 013, 016, 023, 024, and 028 through 031 to be MATERIAL WEAKNESSES. 


A significant deficiency is a deficiency, or a combination of deficiencies, in internal control 
that is less severe than a material weakness, yet important enough to merit attention by those 
charged with governance. We consider the deficiencies described in the accompanying 
Schedule of Findings as RECOMMENDATIONS 2020-001, 002, 005 through 009, 011, 014, 015, 
017 through 022, 025 through 027, 032, and 033 to be SIGNIFICANT DEFICIENCIES. 


COMPLIANCE AND OTHER MATTERS. 


In connection with our engagement to audit the State’s financial statements, we performed 
tests of its compliance with certain provisions of laws, regulations, contracts, and grant 
agreements, noncompliance with which could have a direct and material effect on the financial 
statements. However, providing an opinion on compliance with those provisions was not an 
objective of our engagement, and accordingly, we do not express such an opinion. The results 
of our tests disclosed instances of noncompliance or other matters that are required to be 
reported under Government Auditing Standards and which are described in the 
accompanying Schedule of Findings as RECOMMENDATION 2020-024. Additionally, if the 
scope of our work had been sufficient to enable us to express opinions on the basic financial 
statements, other instances of noncompliance or other matters may have been identified and 


reported therein. 
STATE OF COLORADO’S RESPONSE TO FINDINGS 


The State’s response to the findings identified in our engagement is included in the 
accompanying Schedule of Findings. The State’s response was not subjected to the auditing 
procedures applied in the engagement to audit the financial statements and, accordingly, we 


express no opinion on it. 
PURPOSE OF THIS REPORT 


The purpose of this report is solely to describe the scope of our testing of internal control and 


compliance and the results of that testing, and not to provide an opinion on the effectiveness 
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of the entity’s internal control or on compliance. This report is an integral part of an 
engagement to perform an audit in accordance with Government Auditing Standards in 
considering the entity’s internal control and compliance. Accordingly, this communication 


is not suitable for any other purpose. 


OMAN è 


Denver, Colorado 
March 5, 2021 
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March 5, 2021 


INDEPENDENT AUDITOR’S COMMUNICATION 
WITH THOSE CHARGED WITH GOVERNANCE 


Members of the Legislative Audit Committee: 


We were engaged to audit the financial statements of the governmental 
activities, the business-type activities, the aggregate discretely presented 
component units, each major fund, and the aggregate remaining fund 
information of the State of Colorado (State) for the year ended June 30, 2020, 
and the related notes to the financial statements. We have also audited the 
State’s budgetary comparison schedule-general fund component and the 
related note for the Fiscal Year Ended June 30, 2020. 


As previously communicated on March 2, 2021, we encountered significant 
difficulties completing the audit of the Unemployment Insurance Fund, causing 
a disclaimer of opinion. Further details are noted in the letter below under the 
sections titled “Difficulties Encountered in Performing the Audit” and “Other 


Audit Findings or Issues.” 


Professional standards require that we provide you with information about our 
responsibilities under generally accepted auditing standards, Government 
Auditing Standards, and the Uniform Guidance, as well as certain information 
related to the planned scope and timing of our audit. We have communicated 


such information in our letter to you dated September 3, 2020. 


Professional standards also require that we communicate to you the following 


information related to our audit. 
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SIGNIFICANT AUDIT MATTERS 
Qualitative Aspects of Accounting Practices 


Management is responsible for the selection and use of appropriate accounting policies. The 
significant accounting policies used by the State are described in Note 1 to the financial 
statements contained in the State’s Fiscal Year 2020 Comprehensive Annual Financial 
Report issued under separate cover. As described in Note 1.A. of the financial statements, 
the State did not adopt any new Statements of Governmental Accounting Standards (GASB 
Statements) in Fiscal Year 2020. Auraria Higher Education Center early implemented 
GASB Statement No. 84, Fiduciary Activities , but the standard was not implemented at a 
statewide level. Accordingly, the cumulative effect of this accounting change as of the 
beginning of the fiscal year is reported in Note 15.B. of the financial statements. We noted 
no transactions entered into by the State during the year for which there is a lack of 
authoritative guidance or consensus. Except for the prior period adjustments reported in 
Note 15.A. of the financial statements, all significant transactions have been recognized in 


the financial statements in the proper period. 


Accounting estimates are an integral part of the financial statements prepared by 
management and are based on management’s knowledge and experience about past and 
current events and assumptions about future events. Certain accounting estimates are 
particularly sensitive because of their significance to the financial statements and because 
of the possibility that future events affecting them may differ significantly from those 


expected. 


The most sensitive estimates affecting the State’s financial statements included 
Unemployment Insurance receivables, Unemployment Insurance payables, taxes receivable, 
allowance for doubtful accounts, depreciation of capital assets, net pension liabilities and 
other post-employment benefits (OPEB) related liabilities, and pollution remediation 
obligation estimates. The estimates related to Unemployment Insurance contain significant 
uncertainty and we were unable to obtain sufficient appropriate audit evidence to support 
certain elements used to develop the estimates. This resulted in the disclaimer of opinion 
on the Unemployment Insurance Fund and Business-Type Activities opinion units as 
discussed in the letter below in the sections entitled “Difficulties Encountered in Performing 
the Audit” and “Other Audit Findings or Issues.” We evaluated the key factors and 
assumptions used to develop the remaining estimates in determining that they are 


reasonable in relation to the financial statements taken as a whole. 
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Certain financial statement disclosures are particularly sensitive because of their 
significance to financial statement users. The most sensitive disclosures affecting the 
financial statements were cash and investments, capital assets and their related depreciation, 
pension obligations, other postemployment benefits, prior period adjustments, over- 


expenditures, contingencies, and subsequent events. 
The financial statement disclosures are neutral, consistent, and clear. 
DIFFICULTIES ENCOUNTERED IN PERFORMING THE AUDIT 


We encountered significant audit difficulties in relation to testing of the Unemployment 
Insurance Fund. This is described further in Recommendation 2020-023 within this 


Report. 
CORRECTED AND UNCORRECTED MISSTATEMENTS 


Professional standards require us to accumulate all known and likely misstatements 
identified during the audit, other than those that are clearly trivial, and communicate 
them to the appropriate level of management. Section V-Appendix summarizes 
uncorrected misstatements of the financial statements. Management has determined, and 
we agree, that their effects are immaterial, both individually and in the aggregate, 
to the financial statements taken as a whole. Section V-Appendix also summarizes 
misstatements corrected by management that were detected as a result of audit 


procedures. 
DISAGREEMENTS WITH MANAGEMENT 


For the purposes of this letter, a disagreement with management is a financial accounting, 
reporting, or auditing matter, whether or not resolved to our satisfaction, that could 
be significant to the financial statements or the auditor’s report. No such disagreements 


arose during the course of our audit. 
MANAGEMENT REPRESENTATIONS 


We have requested and received certain representations from management that are included 


in the management representation letter dated March 5, 2021. 
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MANAGEMENT CONSULTATIONS WITH OTHER INDEPENDENT 
ACCOUNTANTS 


In some cases, management may decide to consult with other accountants about auditing 
and accounting matters, similar to obtaining a second opinion on certain situations. If a 
consultation involves application of an accounting principle to the State’s financial 
statements or a determination of the type of auditor’s opinion that may be expressed on 
those statements, our professional standards require the consulting accountant to check 
with us to determine that the consultant has all the relevant facts. To our knowledge, there 


were no such consultations with other accountants. 
OTHER AUDIT FINDINGS OR ISSUES 


We generally discuss a variety of matters, including the application of accounting principles 
and auditing standards, with management each year as the State’s auditors. However, these 
discussions occurred in the normal course of our professional relationship and our 


responses were not a condition to our retention. 


We issued a disclaimer of opinion on the Unemployment Insurance Fund and Business-Type 
Activities for the fiscal year ended June 30, 2020. A disclaimer of opinion is issued when 
the auditor is unable to obtain sufficient appropriate audit evidence on which to base the 
opinion, and the auditor concludes that the possible effects on the financial statements of 
undetected misstatements, if any, could be both material and pervasive. The State of 
Colorado did not have an adequate methodology to substantiate the estimated amount of 
receivables and payables within the Unemployment Insurance Fund of $510 million and 
$872 million, respectively, as of June 30, 2020. The receivable balance includes potential 
overpayments and comprises 54% of total assets of the Unemployment Insurance Fund, 
and 3% of Business-Type Activities. The payable balance includes potential claims 
outstanding at year end and comprises 92% of total liabilities of the Unemployment 
Insurance Fund and 7% of the Business-Type Activities. As of June 30, 2020, and as of the 
date of this report, a significant backlog of unprocessed and unadjudicated unemployment 
insurance claims existed which may represent overpayments due to errors and/or fraud. The 
State’s records do not permit us, nor is it practical to extend or apply other auditing 
procedures, to obtain sufficient appropriate audit evidence to conclude that the receivable 
and payable balances in the Unemployment Insurance Fund and Business-Type Activities 
were free of material misstatement. As a result of these matters, we were unable to 


determine whether further audit adjustments may have been necessary in respect to the 
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elements making up the statements of net position, statement of activities, the statement of 
revenues, expenses and changes in fund net position for proprietary funds, or the statement 


of cash flows for proprietary funds. 


We also identified a change in the State’s reporting entity. Specifically, as discussed in Note 
15 of the financial statements, the State included the Statewide Internet Portal Authority in 
its reporting entity. This change was based on a reevaluation of financial significance, and 
is in accordance with other guidance. Our opinion was not modified with respect to this 


matter. 
OTHER MATTERS 


We applied certain limited procedures to the management’s discussion and analysis, 
budgetary comparison schedules, and notes to the required supplementary information that 
include the defined benefit pension plan and other postemployment benefit information, 
which are required supplementary information (RSI) that supplements the basic financial 
statements. Our procedures consisted of inquiries of management regarding the methods of 
preparing the information and comparing the information for consistency with 
management’s responses to our inquiries, the basic financial statements, and other 
knowledge we obtained during our audit of the basic financial statements. We do not 
express an opinion or provide any assurance on the information because the limited 
procedures on the RSI do not provide us with sufficient evidence to express an opinion or 


provide any assurance on the RSI. 


We were engaged for the purpose of forming an opinion on the basic financial statements 
as a whole. The combining nonmajor fund financial statements and schedule of TABOR 
revenue and computations are presented for the purposes of additional analysis and are not 
a required part of the financial statements. Based on the significance of the matters 
described in the Basis for Disclaimer of Opinion paragraph, it is inappropriate to and we 


do not express an opinion on the supplementary information referred to above 


We were not engaged to report on the introductory section, the budget and actual schedules- 
budgetary basis non-appropriated, and statistical section, which accompany the financial 
statements but are not RSI. Such information has not been subjected to the auditing 
procedures applied in the audit of the basic financial statements, and accordingly, we do 


not express an opinion or provide any assurance on them. 
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GROUP AUDIT COMMUNICATION 


The group engagement team should communicate the following matters with those charged 


with governance of the group: 


e Instances in which the group engagement team’s evaluation of the work of a 
component audit gave rise to a concern about the quality of that auditor’s work. No 
such instances were noted. 

e Any limitations on the group audit (for example, when the group engagement team’s 
access to information may have been restricted). We encountered no limitations 
while performing our audit. 

e Fraud or suspected fraud involving group management, component management, 
employees who have significant roles in group-wide controls, or others in which a 
material misstatement of the group financial statements has or may have resulted 


from fraud. No such matters were noted. 
RESTRICTION ON USE 


This information is intended solely for the use of the Legislative Audit Committee and 
management of the State and is not intended to be, and should not be, used by anyone other 
than these specified parties. However, upon release by the Legislative Audit Committee, 


this report is a public document. 


Very truly yours, 


hlte && è 


Denver, CO 
March 5, 2021 
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APPENDIX 


AGRICULTURE $ 5,041,459 . -$ -$ -$ -$ (9,919) $ (5,051,378) 
CORRECTIONS $ - -$ -$ - $ (1,589,001) $ 1,589,001 $ - 
EDUCATION $ - : - $ -$ -$ -$ -$ - 
OFFICE OF THE 

GOVERNOR $ 327,007 $ -$ -$ -$ 1,168,100 $ (118,231) $ 722,862 
HEALTH CARE 

POLICY AND $ 11,097,313 $ - $ (489,855) $ -$ - $ (1,160,070) $ (12,747,238) 
FINANCING 

HIGHER $ 4,269,716 $ 1,032,157 $ 3,968,522 $ - $ (2,496,799) $ (506,457) $ (4,336,607) 
EDUCATION y: 3 bd 3 a F 3 ee z 3 EA 
HUMAN SERVICES $ 1,145,847 $ $ 130,629 $ -$ $ (126,369) $ (1,141,587) 
JUDICIAL $ -$ $ -$ -$ $ -$ - 
LABOR AND 

EMPLOYMENT $ -$ $ -3 “8 $ 2i 
LAW $ 278,484 $ -| $ 594 $ 9 -$ (15,817) $ (293,707) 
LEGISLATIVE $ -$ - $ -$ -$ -$ -$ - 
LOCAL AFFAIRS $ -$ $ -$ -$ $ -$ - 
MILITARY AND 

VETERANS AFFAIRS $ 1,307 $ $ -$ -$ $ 1,307 $ 
NATURAL 

ee $ -$ -$ -$ -$ -$ -1$ - 
PERSONNEL & 

ADMINISTRATION $ 9,028,310 $ - $ (21,093,356) $ - $ 8,968,300 $ 60,010 $ (21,093,356) 
PUBLIC HEALTH 

AND $ (4,992,459 $ -$ -$ -$ 1,082,450 $ (1,033,450) $ 5,041,459 
ENVIRONMENT 

PUBLIC SAFETY $ 736,429 $ - $ 76,978 $ -$ -$ 1,325,126 $ 665,675 
REGULATORY 

ees $ 4,722 $ - $ -$ -$ -$ 5,195 $ 473 
REVENUE $ (128,664) $ - $ (31,076) $ -$ -$ 1,499 $ 99,087 
STATE $ -$ -$ -$ -$ -$ -$ - 
TRANSPORTATION $ - $ (880,420) $ -$ -$ - * (880, uy 
TREASURY $ -$ -$ -$ -$ 


i 
$ 26,809,471|$ 1,032,157| $ (18,317,984) so 7,133,050|$ 11,825]$ (39,014,737) 
(DECREASE) 


AGRICULTURE $ 6,096,721 ; -$ -$ 9,919 $ 5,051,378 
CORRECTIONS $ - -$ -$ o 1,589, 001 : 1,589,001 $ - 
EDUCATION $ - : -$ -$ -$ -$ -$ - 
OFFICE OF THE 

Conon $ 327,007 $ -$ -$ - $ 3,628,939 $ 7,753,914 $ 1,790,518 
HEALTH CARE 

POLICY AND $ 13,417,454 $ -$ 489,855 $ -$ -$ 1,160,070 $ 35,361,315 
FINANCING 

PUCER r T 4,115,667 $ $ 6,651,443 $ 5,659,052$ 9,933,132 
EDUCATION > x > pl 3 2 pi 3 2 3 > 2 
HUMAN SERVICES $ 1,387,099 $ -$ 306,250 $ $ $ 310,510 $ 1,144,908 
JUDICIAL $ -$ -$ -$ $ $ -$ - 
LABOR AND 

EMPLOYMENT $ -$ -$ -$ $ $ -$ 
LAW $ 316,486 $ - $ 2,366 $ -$ -$ 15,817 $ 579,742 
LEGISLATIVE $ -$ -$ -$ -$ -$ -$ - 
LOCAL AFFAIRS $ -$ -$ -$ $ $ -$ - 
MILITARY AND 

VETERANS AFFAIRS $ 1,307 $ -$ -$ $ $ 1,307 $ i 
NATURAL 

RESOURCES $ -$ -$ -$ $ -$ -$ - 
PERSONNEL & 

ADMINISTRATION $ 9,028,332 $ - $ 26,933,769 $ $ 9,088,300 $ 60,032 $ 24,190,890 
PUBLIC HEALTH 

AND $ 5,090,459 $ -$ -$ -$ 1,322,450 $ 1,371,450 $ 5,041,459 
ENVIRONMENT 

PUBLIC SAFETY $ 2,487,185 $ -$ 78,081 $ -$ - $ 4,425,824 $ 4,567,840 
REGULATORY 

AGENCIES $ 5,667 $ -$ -$ -$ -$ 5,195 $ 473 
REVENUE $ 140,487 $ -$ 68,731 $ -$ 30,388 $ 1,907 $ 99,088 
STATE $ -$ -$ -$ -$ -$ -$ - 
TRANSPORTATION $ -$ - $ 30,553,318 u - ; -$ 1,564,366 $ 30,420,312 
TREASURY - 517, = - A - i: 258, rA - 258, aL 
SRE EE TE 


AGRICULTURE $ -$ -$ - $ -$ -$ -$ 
CORRECTIONS $ -$ $ - $ -$ -$ -$ 

EDUCATION $ -$ $ - $ -$ -$ -$ 

OFFICE OF THE 

a e $ 70,427 $ $ - $ -$ $ 71,927 $ 1,500 
HEALTH CARE 

POLICY AND $ 52,197,897 $ $ $ - $ 27,254,044 $ (986,927) $ (25,930,780) 
FINANCING 

HIGHER 

EDUCATION $ (11,240,679) $ $ (4,928,472) $ -$ $ (6,068,718) $ 243,489 
HUMAN SERVICES $ -$ $ $ -$ $ -$ 

JUDICIAL $ -$ $ - $ -$ $ -$ 

LABOR AND 

EMPLOYMENT $ 498-152324 $ - $ 868,610,253 $ -$ - $ 172,694,828 $ 543,152,757 
LAW $ -$ $ -$ -$ $ -$ 

LEGISLATIVE $ -$ $ $ -$ $ -$ 

LOCAL AFFAIRS $ -$ $ $ -$ $ -$ 

MILITARY AND 

VETERANS $ -$ -$ - $ -$ - § -$ 

AFFAIRS 

NATURAL 

Ro $ -$ -$ - $ -$ -$ -$ 

PERSONNEL & 

ADMINISTRATION $ “$ s$ a am a “$ 

PUBLIC HEALTH 

AND $ 4,066,335 $ -$ -$ -$ -$ 6,248,652 $ 2,182,317 
ENVIRONMENT 

PUBLIC SAFETY $ -$ -$ - $ -$ -$ -$ 
REGULATORY 

NGENCIES $ 361,744 $ -$ - $ -$ -$ -$ (361,744) 
REVENUE $ -$ -$ - $ -$ -$ -$ 

STATE $ - m -$ - $ -$ -$ -$ 
TRANSPORTATION $ -$ - $ -$ i i 

TREASURY $ -$ - $ -$ 


$ 543,608, n $ 863,681, mails 27,254,044|$ 171,959,762|$ 519,287,539 
(DECREASE) 


Fr 
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AGRICULTURE $ -$ -$ -$ -$ -$ 

CORRECTIONS $ - -$ -$ -$ -$ -$ - 
EDUCATION $ = -$ -$ -$ -$ -$ - 
OFFICE OF THE 

COVRNOR $ 73,427 $ =| £ -$ BiS PS PLZT S 1,500 
HEALTH CARE 

POLICY AND $ 199,826,597 $ -$ -$ - $ 65,182,670 $ 986,927 $ 295,882,721 
FINANCING 

HIGHER EDUCATION $ 11,456,471 $ - $ 28,545,274 $ -$ -$ 10,597,438 $ 459,279 
HUMAN SERVICES $ -$ -$ -$ -$ -$ -$ - 
JUDICIAL $ -$ -$ -$ -$ -$ -$ - 
LABOR AND 

EMPLOYMENT $ 1,237,031,439 $ - $ 868,610,253 $ -$ $ 715,335,061 $ 1,374,306,631 
LAW $ -$ -$ -$ -$ -$ -$ - 
LEGISLATIVE $ -$ -$ -$ -$ -$ -$ - 
LOCAL AFFAIRS $ -$ -$ -$ -$ -$ -$ - 
MILITARY AND 

VETERANS AFFAIRS $ -$ -$ a9 J -$ ii 
NATURAL 

RESOURCES $ k j T |e |e |e i 
PERSONNEL & 

ADMINISTRATION $ -$ g $ ai a “$ : 
PUBLIC HEALTH 

tay lei ee aA GEN $ 4,066,335 $ -$ -$ $ $ 7,933,080 $ 2,182,317 
PUBLIC SAFETY $ -$ -$ -$ $ $ -$ - 
REGULATORY 

ACENGES $ 361,744 $ $ -$ -$ $ -$ 1,085,231 
REVENUE $ -$ -$ -$ -$ -$ -$ - 
STATE $ -$ -$ -$ $ -$ -$ - 
TRANSPORTATION $ -$ - i - i i 8,729,576 $ -$ - 
aa $ 230,740$ J 115,370 : 115,370 
$ 1,453,046, 738 aE 155527 Se $ 735,039,803] $ 1,674,033,049 
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